All geek questions in one place

Django - How to do CSFR on public pages? Or better yet, how to use it?

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it

I came to the conclusion that you canโ€™t use this, unless you trust the person who uses the page that credits him. Is it correct?

I think I really don't understand when it is safe to use because of this statement:

This should not be done for POST forms for destination external URLs, as it will cause the CSRF token to leak, which leads to a vulnerability.

The reason this is confusing is this: to me the โ€œexternal URLโ€ will be a page that is not part of my domain (that is, I have www.example.com and put in the form that posts to www.spamfoo.com This obviously cannot be because people will not use Django to create forms that submit to other people's sites, but how can it be true that you cannot use CSRF protection on public forms (for example, in the login form )?

+4
source share
1 answer

With an apology that you do not understand the specific source of your confusion, I will say that the question you should ask is NOT to use CSRF protection. You have already called this case from the docs:

This should not be done for POST forms for destination external URLs, as it will cause the CSRF token to leak, which leads to a vulnerability.

If you publish a form in your domain, you want CSRF protection to be enabled by default, unless you have a specific reason to disable it (which should be less common than not).

0
source

Source: https://habr.com/ru/post/1303873/

More articles:


All Articles