Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Safe-ish By Default

Safe-ish By Default

The Django Security Model and How to Make it Better

Avatar for Philip James

Philip James

December 10, 2015
Tweet

More Decks by Philip James

Other Decks in Technology

Transcript

  1. #safedjango @phildini if request is a POST: get csrf_token from

    cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
  2. #safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)

    wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
  3. #safedjango @phildini if request is a POST and not view.csrf_exempt:

    get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject