Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

simonw · 2020-07-01T00:23:27Z

Needed by Datasette in simonw/datasette#835

If an incoming request has no cookies there's no point in CSRF protecting it... UNLESS it's to a login form to protect againts login CSRF attacks. So the middleware should have an option for "always CSRF protect these paths" to allow /login to be protected.

If an incoming request has a Authorization: Bearer xxx token there's no need to CSRF protect it because regular user requests from authenticated browsers can't include the Bearer prefix - they will always look like this instead (which should be CSRF protected):

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

The text was updated successfully, but these errors were encountered:

Refs #11

simonw added the enhancement New feature or request label Jul 1, 2020

simonw added a commit that referenced this issue Jul 1, 2020

Don't CSRF protect Authorization: Bearer ..., refs #11

0d23766

simonw closed this as completed in d049408 Jul 1, 2020

simonw added a commit that referenced this issue Jul 1, 2020

Release 0.6

245d8ba

Refs #11

simonw mentioned this issue Jul 1, 2020

Consider dropping explicit CSRF protection entirely? simonw/datasette#877

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

simonw commented Jul 1, 2020

Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

Comments

simonw commented Jul 1, 2020