Hi,
On Sunday 04 August 2013 01:26:58 Luke Plant wrote:
> On 28/07/13 00:12, Shai Berger wrote:
> >
> > a) Use a signed cookie for csrftoken -- using Django's existing signing
> > facility[4], this means signing the cookie with the SECRET_KEY from the
> > settings; so that an attacker cannot set
On 28/07/13 00:12, Shai Berger wrote:
> Hi everybody,
>
> TL;DR: A simple change can make Django's CSRF protection a little better; an
> additional, slightly less simple one, can also make it look better.
>
> Django's CSRF protection scheme is a bit unusual; unlike most such schemes,
> it
> do
In light of BREACH[1] it might be worth looking into having the option of
adding a one-time pad to the CSRF token as well. Has anyone started
development on any of the suggestions in this thread yet? If not, it's
something I'd be interested in exploring.
Cheers,
--
Michael Mior
michael.m...@gma
