Re: Add a setting for customizing the CSRF token name?

[Ramiro Morales]

Hello,

I'd be in favor of what's proposed.

Slightly related, this made me remember I had some note about proposing we
add either to the Security or the Deployment checklist documents
suggestions about (also) customizing the CSRF_COOKIE_NAME,
LANGUAGE_COOKIE_NAME and SESSION_COOKIE_NAME settings. to make identifying
Django is being used harder.

(This is related to what Aymeric mentions) It's easier this kind of
customization is performed before the initial deployment to avoid the
hassle caused by trying to change them once a site is in production, that's
why I think it's a good idea to make developers/deployers aware they have
these choices at that point.

Regards,


On Sat, Aug 18, 2018 at 11:40 AM Tim Graham <timogra...@gmail.com> wrote:

> Do you think it's worth a new setting to allow customizing the CSRF token
> name ('csrfmiddlewaretoken')?
>
> It was proposed 9 years ago in https://code.djangoproject.com/ticket/12738
> and closed as wontfix absent some justification.
>
> It was again proposed a few days ago in
> https://github.com/django/django/pull/10305 with the rationale:
>
> Wappalyzer identifies Django application with "csrfmiddlewaretoken" input
> name.
> https://github.com/AliasIO/Wappalyzer/blob/master/src/apps.json#L2471
>
> I guess the idea is trying to obscure the fact that a site runs Django for
> some "security by obscurity."
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/01b25887-823e-4008-9ad4-51f80e7c2590%40googlegroups.com
> <https://groups.google.com/d/msgid/django-developers/01b25887-823e-4008-9ad4-51f80e7c2590%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Ramiro Morales
@ramiromorales

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAO7PdF8QoVd5CE5q91%3D%2BpnyGxO9-d8YLC5d3aiqSkHr%2BXCbUKQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.