That does seem to be a good effort towards CSRF prevention. However, it's currently in draft status, and doesn't provide any protection if not supported by your browser. According to caniuse.com[1], the browsers supporting this feature currently occupy just under 60% of the browser market. About 40% of users would still be vulnerable to CSRF attacks. IMO that's too large a chunk of users to leave unprotected.
When this feature reaches maturity it will likely be a good option to combat CSRF, but right now it doesn't provide adequate protection on its own. Django's CSRF middleware does provide protection for the remaining 40%. Marten [1] https://caniuse.com/#search=samesite On Tuesday, January 16, 2018 at 6:19:17 PM UTC+1, Etienne Robillard wrote: > > See this: https://www.owasp.org/index.php/SameSite > > Cheers, > > Etienne > > Le 2018-01-16 à 10:36, knbk a écrit : > > How does using nginx protect against CSRF attacks? > > Marten > > On Tuesday, January 16, 2018 at 10:49:21 AM UTC+1, Etienne Robillard > wrote: >> >> A much more practical way to improve security against XSRF attacks is >> using nginx. >> >> Regards, >> >> Etienne >> >> Le 2018-01-16 à 04:38, James Bennett a écrit : >> >> If you can demonstrate a practical attack against Django's CSRF system, >> feel free to email it to secu...@djangoproject.com. >> >> On Tue, Jan 16, 2018 at 1:26 AM, Etienne Robillard <tka...@yandex.com> >> wrote: >> >>> Hi Stephan, >>> >>> I'm also interested to understand why I should have some form of CSRF >>> protection for my wsgi app... >>> >>> perhaps recoding the Django 1.11 CSRF middleware into a proper WSGI >>> application (CSRFController) would help. >>> >>> but seriously, i don't use/recommend the Django CSRF middleware because >>> it does not improve security of forms processing. >>> >>> >>> cheers, >>> >>> Etienne >>> >>> >>> >>> Le 2018-01-15 à 17:03, Stephan Doliov a écrit : >>> >>> Just curious, I recently went on a source code studying binge and took a >>> look at the CSRF middleware that comes with Django. I appreciate the work >>> and effort of the authors, but I am not sure I gain anything by deploying >>> it to my site. Here is why: >>> The middleware token assigned to a form and to a csrftoken cookie are >>> ciphertexts of the same underlying key (by default, the underlying key is >>> chosen as 32 randomly chosen (with replacement) chars from a set of 62 >>> chars. So the easy workaround can be done in one of two ways >>> >>> 1) Write a script that just harvests the middleware token from a form >>> "protected" with such token and use the value of that as the csrftoken >>> cookie. >>> As the middlewaretoken is a cipher of the underlying token, obviously >>> using the the same string as the value to the csrftoken cookie will satisfy >>> the middleware's demand for authorization of the resource (e.g. POSTing to >>> the form) >>> >>> 2) Learn the easy cipher algorithm the csrf middleware uses and present >>> a csrf token cookie that will decode to the right value. >>> >>> In either case, I am not convinced that meaningful protection against >>> CSRF types of requests are provided by the middleware. Am I missing >>> something? >>> >>> Wouldn't it be more secure to just have middleware that whitelists as a >>> series of origins (aka CORS) and then, unlike CORS, actually perform >>> reverse lookups on the dns of the whitelisted domains? (Of course, this >>> assumes that the hosts that might want to make cross-site requests ahve >>> access to managing their reverse DNS). >>> >>> Am I missing something; or, if serving performance is a top goal of >>> mine, should I just ditch the csrf middleware? (and maybe rate limit client >>> requests to prevent DoS attacks)? >>> >>> Thanks, >>> Steve >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-users...@googlegroups.com. >>> To post to this group, send email to django...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/django-users/9c4a794f-aa9e-4c00-ba20-779ad7a87d2a%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> Etienne Robillardtka...@yandex.comhttps://www.isotopesoftware.ca/ >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-users...@googlegroups.com. >>> To post to this group, send email to django...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com >>> >>> <https://groups.google.com/d/msgid/django-users/95bba86c-ed2e-fd8d-e7da-2ec1b80c273c%40yandex.com?utm_medium=email&utm_source=footer>. >>> >>> >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-users...@googlegroups.com. >> To post to this group, send email to django...@googlegroups.com. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/django-users/CAL13Cg9mhBTD-2CBB46cvv2N6gd0JzHA8g5o%2BgrG5ZrAmb-%3Dgg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Etienne Robillardtka...@yandex.comhttps://www.isotopesoftware.ca/ >> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users...@googlegroups.com <javascript:>. > To post to this group, send email to django...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com > > <https://groups.google.com/d/msgid/django-users/27709494-b4ba-4588-85cd-3babf18b8afa%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > Etienne robillardtka...@yandex.com > <javascript:>https://www.isotopesoftware.ca/ > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/da9363e9-c3fc-4446-a3a0-a692c2945852%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
