Hello,
Perhaps we could reuse settings.CSRF_COOKIE_NAME there instead of the hardcoded
"csrfmiddlewaretoken"? That would meet the stated goal without introducing a
new setting. Also it feels sensible to me to use the same name for the input
and the cookie.
There would be some hiccups — 403 errors on legitimate requests — when
upgrading a website to a new version of Django that includes this change. To
avoid that, we could implement a backwards-compatibility shim that we would
keep for one major version.
Best regards,
--
Aymeric.
> On 18 Aug 2018, at 16:40, Tim Graham <timogra...@gmail.com> wrote:
>
> Do you think it's worth a new setting to allow customizing the CSRF token
> name ('csrfmiddlewaretoken')?
>
> It was proposed 9 years ago in https://code.djangoproject.com/ticket/12738
> and closed as wontfix absent some justification.
>
> It was again proposed a few days ago in
> https://github.com/django/django/pull/10305 with the rationale:
>
> Wappalyzer identifies Django application with "csrfmiddlewaretoken" input
> name.
> https://github.com/AliasIO/Wappalyzer/blob/master/src/apps.json#L2471
> <https://github.com/AliasIO/Wappalyzer/blob/master/src/apps.json#L2471>
>
> I guess the idea is trying to obscure the fact that a site runs Django for
> some "security by obscurity."
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com
> <mailto:django-developers+unsubscr...@googlegroups.com>.
> To post to this group, send email to django-developers@googlegroups.com
> <mailto:django-developers@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-developers
> <https://groups.google.com/group/django-developers>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/01b25887-823e-4008-9ad4-51f80e7c2590%40googlegroups.com
>
> <https://groups.google.com/d/msgid/django-developers/01b25887-823e-4008-9ad4-51f80e7c2590%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5796AA81-96EC-418E-A174-D11FAC28704A%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.
