Hello Guys!
I am planning to work on developing and improving the security features of Django. I would like some help in formalizing the proposal so that it will meet the requirements. Things i understood how security against csrf works and how it is implemented in django. (please correct me if I’m wrong) - When ever user request a csrf_token in the HTML view or using the function csrf_protect(), the server creates a randomized token which is different for every request. (changes for requests). and we set a cookie csrf_token=value. - When a POST request is sent (or some sensitive operation is done at server side), we also send a hidden variable csrf_token which is validated against the cookie.(Double submitting cookie technique.). - The attacker may send the the request from the other domain on behalf of the user logged in, but the attack will mostly fail because he cannot read the session data (because of same origin policy) - These all operations are taken care of CSRF middleware. It is mentioned that you want to integrate the django-secure<https://github.com/carljm/django-secure>project with the django project. ssl redirect, security against clickjacking, some xss attacks were already implemented in the above project. Do the candidate have to improve those features or just have to integrate those features with the present django? How can we enhance the security measures against the csrf attacks?(I don’t know how to enhance security the using Double submitting cookie technique which is already implemented in the django project). I think we can implement Encrypted token pattern to enhance the security against csrf attacks.It is mentioned that it allows us greater control over CSRF-defense, without introducing new security concerns or architectural problems.I’m a newbie in this area .So please let me know, If this is not a good idea. I like to hear your comments and opinions. Thanks, Prithviraj M Billa github: http://github.com/Prithvirajbilla blog: http://blog.prithvirajbilla.com -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a6c13ca0-8925-4811-ab8a-2028e4652f2a%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
