Loading AUTHORS +1 −0 Original line number Diff line number Diff line Loading @@ -264,6 +264,7 @@ answer newbie questions, and generally made Django that much better: Greg Chapple <gregchapple1@gmail.com> Gregor Müllegger <gregor@muellegger.de> Grigory Fateyev <greg@dial.com.ru> Grzegorz Ślusarek <grzegorz.slusarek@gmail.com> Guilherme Mesquita Gondim <semente@taurinus.org> Guillaume Pannatier <guillaume.pannatier@gmail.com> Gustavo Picon Loading django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -555,6 +555,7 @@ CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False CSRF_COOKIE_HTTPONLY = False CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' ############ # MESSAGES # Loading django/middleware/csrf.py +1 −1 Original line number Diff line number Diff line Loading @@ -183,7 +183,7 @@ class CsrfViewMiddleware(object): if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX, # and possible for PUT/DELETE. request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '') if not constant_time_compare(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) Loading docs/ref/csrf.txt +4 −0 Original line number Diff line number Diff line Loading @@ -92,6 +92,9 @@ protection for your views as outlined above. The CSRF token cookie is named ``csrftoken`` by default, but you can control the cookie name via the :setting:`CSRF_COOKIE_NAME` setting. The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can customize it using the :setting:`CSRF_HEADER_NAME` setting. Acquiring the token is straightforward: .. code-block:: javascript Loading Loading @@ -456,3 +459,4 @@ A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` docs/ref/settings.txt +18 −0 Original line number Diff line number Diff line Loading @@ -409,6 +409,23 @@ where ``reason`` is a short message (intended for developers or logging, not for end users) indicating the reason the request was rejected. See :doc:`/ref/csrf`. .. setting:: CSRF_HEADER_NAME CSRF_HEADER_NAME ---------------- .. versionadded:: 1.9 Default: ``'HTTP_X_CSRFTOKEN'`` The name of the request header used for CSRF authentication. As with other HTTP headers in ``request.META``, the header name received from the server is normalized by converting all characters to uppercase, replacing any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name. For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting should be ``'HTTP_X_XSRF_TOKEN'``. .. setting:: DATABASES DATABASES Loading Loading @@ -3261,6 +3278,7 @@ Security * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` Loading Loading
AUTHORS +1 −0 Original line number Diff line number Diff line Loading @@ -264,6 +264,7 @@ answer newbie questions, and generally made Django that much better: Greg Chapple <gregchapple1@gmail.com> Gregor Müllegger <gregor@muellegger.de> Grigory Fateyev <greg@dial.com.ru> Grzegorz Ślusarek <grzegorz.slusarek@gmail.com> Guilherme Mesquita Gondim <semente@taurinus.org> Guillaume Pannatier <guillaume.pannatier@gmail.com> Gustavo Picon Loading
django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -555,6 +555,7 @@ CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False CSRF_COOKIE_HTTPONLY = False CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' ############ # MESSAGES # Loading
django/middleware/csrf.py +1 −1 Original line number Diff line number Diff line Loading @@ -183,7 +183,7 @@ class CsrfViewMiddleware(object): if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX, # and possible for PUT/DELETE. request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '') if not constant_time_compare(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN) Loading
docs/ref/csrf.txt +4 −0 Original line number Diff line number Diff line Loading @@ -92,6 +92,9 @@ protection for your views as outlined above. The CSRF token cookie is named ``csrftoken`` by default, but you can control the cookie name via the :setting:`CSRF_COOKIE_NAME` setting. The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can customize it using the :setting:`CSRF_HEADER_NAME` setting. Acquiring the token is straightforward: .. code-block:: javascript Loading Loading @@ -456,3 +459,4 @@ A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME`
docs/ref/settings.txt +18 −0 Original line number Diff line number Diff line Loading @@ -409,6 +409,23 @@ where ``reason`` is a short message (intended for developers or logging, not for end users) indicating the reason the request was rejected. See :doc:`/ref/csrf`. .. setting:: CSRF_HEADER_NAME CSRF_HEADER_NAME ---------------- .. versionadded:: 1.9 Default: ``'HTTP_X_CSRFTOKEN'`` The name of the request header used for CSRF authentication. As with other HTTP headers in ``request.META``, the header name received from the server is normalized by converting all characters to uppercase, replacing any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name. For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting should be ``'HTTP_X_XSRF_TOKEN'``. .. setting:: DATABASES DATABASES Loading Loading @@ -3261,6 +3278,7 @@ Security * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` * :setting:`CSRF_HEADER_NAME` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` Loading
