Skip to content

Skip CSRF checks if no cookies or if authorization: bearer xxx headers #11

New issue
New issue
Closed
Closed
Skip CSRF checks if no cookies or if authorization: bearer xxx headers#11
Labels
enhancementNew feature or request
@simonw

Description

@simonw
simonw
opened on Jul 1, 2020

Needed by Datasette in simonw/datasette#835

If an incoming request has no cookies there's no point in CSRF protecting it... UNLESS it's to a login form to protect againts login CSRF attacks. So the middleware should have an option for "always CSRF protect these paths" to allow /login to be protected.

If an incoming request has a Authorization: Bearer xxx token there's no need to CSRF protect it because regular user requests from authenticated browsers can't include the Bearer prefix - they will always look like this instead (which should be CSRF protected):

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions