They don't try to guess the CSRF directly, AIUI. They use a form field to affect their test.
The easiest solution I can see is the one mentioned in the document -- instead of outputting the raw value, output SALT || (SALT ^ TOKEN) so the actual value is never in the response, but it can be retrieved by simply xoring it with the salt. The salt is changed every request. -- Curtis Maloney On 7 August 2013 16:56, simonb <[email protected]> wrote: > How about requiring that if csrfmiddlewaretoken is set, no matter what > http method (GET, POST...), it is correct otherwise 403 response. > > Simon > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
