I am eagerly waiting to hear your comments and opinions. Thanks,
Prithviraj M Billa github :: htttp://github.com/Prithvirajbilla blog:: http://blog.prithvirajbilla.com On Sunday, February 23, 2014 9:34:15 PM UTC+5:30, Prithviraj Billa wrote: > > Hello Guys! > > > I am planning to work on developing and improving the security features of > Django. > > I would like some help in formalizing the proposal so that it will meet > the requirements. > > Things i understood how security against csrf works and how it is > implemented in django. (please correct me if I’m wrong) > > > - > > When ever user request a csrf_token in the HTML view or using the > function csrf_protect(), the server creates a randomized token which is > different for every request. (changes for requests). and we set a cookie > csrf_token=value. > - > > When a POST request is sent (or some sensitive operation is done at > server side), we also send a hidden variable csrf_token which is validated > against the cookie.(Double submitting cookie technique.). > - > > The attacker may send the the request from the other domain on behalf > of the user logged in, but the attack will mostly fail because he cannot > read the session data (because of same origin policy) > - > > These all operations are taken care of CSRF middleware. > > > It is mentioned that you want to integrate the > django-secure<https://github.com/carljm/django-secure>project with the django > project. ssl redirect, security against > clickjacking, some xss attacks were already implemented in the above > project. Do the candidate have to improve those features or just have to > integrate those features with the present django? > > How can we enhance the security measures against the csrf attacks?(I don’t > know how to enhance security the using Double submitting cookie technique > which is already implemented in the django project). > > I think we can implement Encrypted token pattern to enhance the security > against csrf attacks.It is mentioned that it allows us greater control over > CSRF-defense, without introducing new security concerns or architectural > problems.I’m a newbie in this area .So please let me know, If this is not a > good idea. > > > > I like to hear your comments and opinions. > > Thanks, > > Prithviraj M Billa > > github: http://github.com/Prithvirajbilla > > blog: http://blog.prithvirajbilla.com > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9ba193b8-8308-41ed-9189-576fe8480f78%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
