Hi Vermus,
Yes, the form value is currently hard coded.
I can't think of any particular reason that this shouldn't be configurable
though. If you're looking to get into Django development, it would be a
fairly easy feature to contribute - there isn't that much code required to
implement the chang
ok, i renamed cookie name,
but what about rename input name "csrfmiddlewaretoken" of {% csrf_token %}?
as i see it is harcoded?
http://stackoverflow.com/questions/27087626/rename-csrfmiddlewaretoken
вторник, 28 апреля 2015 г., 11:28:36 UTC+3 пользователь Vermus написал:
>
>
> Oh, I missed this
Oh, I missed this setting, stupid (i think, it is new for me, i'm using
django since 1.0)
thank you!
вторник, 28 апреля 2015 г., 10:51:11 UTC+3 пользователь Russell Keith-Magee
написал:
>
> Hi Vermus,
>
> Calling this a security "breach" is a bit inaccurate; but I certainly
> agree that it is
Hi Vermus,
Calling this a security "breach" is a bit inaccurate; but I certainly agree
that it is good practice to make the framework undetectable from the client
side.
That's why there's a setting that does exactly what you suggest:
https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-cooki
Hi, i found, that my site is detected
by http://trends.builtwith.com/framework/Django-CSRF by crfstoken header.
I think, it's security breach, when users know what framework is used on
server side.
There must have such web server tuning, that no one can detect framework
and server side programmi
5 matches
Mail list logo
