#35796: Add setting to sign CSRF cookie
-----------------------------+----------------------------------------
Reporter: zags | Type: New feature
Status: new | Component: Core (Other)
Version: dev | Severity: Normal
Keywords: csrf cookie | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-----------------------------+----------------------------------------
Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie
signing infrastructure to sign the CSRF cookie. This would enable sites
running on a subdomain of a shared domain name (ex.
[SUBDOMAIN].herokuapp.com) to have protection from cookie tampering
(reducing the caveat currently under
https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
This setting should initially default to `False` for backwards
comparability, although this could be changed in a future major release.
--
Ticket URL: <https://code.djangoproject.com/ticket/35796>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/010701922fe56787-9d90b837-ef41-4c4d-a32e-ffae67977fb9-000000%40eu-central-1.amazonses.com.
