>
> I am doing something a little different with my CSRF tokens, and I believe
it guards against BREACH.
Instead of sending the token in the HTTP response, I am using javascript to
read (and generate if needed) the CSRF token cookie. The javascript reads
the token from the cookie and adds it as a hidden field to any forms that
need it on the page.
This also has two bonus benefits:
- It makes pages easier to cache, because the response doesn't Vary based
on each person's CSRF Cookie.
- I've been spam-free since I started using this method. Most spam bots
don't aren't aware of this method (yet).
It could be used as a drop-in replacement for {% csrf_token %} for anyone
who doesn't care about the javascript requirement. I personally consider
the javascript requirement a benefit.
This also, of course, is incompatible with CSRF_COOKIE_HTTPONLY.
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
For more options, visit https://groups.google.com/groups/opt_out.
