Paul McMillan <[email protected]> writes: > In the meantime, if you use SSL on each of your subdomains, you get > strict checking of the Referer header for CSRF, which mitigates that > particular avenue of attack. Since you're using sessions and auth, you > should be using SSL, and so the protection is mostly free.
Of course. The sites I'm thinking of are HTTPS only. I had forgot about the Referer header check. It seems that it would stop the subdomain-to-subdomain CSRF attacks as long as the site is only using HTTPS, wouldn't it? Thanks for your work on this, / Kent Engström -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
