mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-03 18:38:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Refs #16870 -- Doc'd that CSRF protection requires the Referer header.

Browse source
This commit is contained in:
Flávio Juvenal 2017-05-24 16:36:45 -07:00 committed by Tim Graham
parent e1cd5a76d7
commit 0af14b2eaa
3 changed files with 27 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/ref/csrf.txt
View file

@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
(because XSS vulnerabilities already let an attacker do anything a CSRF
vulnerability allows and much worse).
.. admonition:: Removing the ``Referer`` header
To avoid disclosing the referrer URL to third-party sites, you might want
to `disable the referer`_ on your site's ``<a>`` tags. For example, you
might use the ``<meta name="referrer" content="no-referrer">`` tag or
include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
protection's strict referer checking on HTTPS requests, those techniques
cause a CSRF failure on requests with 'unsafe' methods. Instead, use
alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
sites.
.. _BREACH: http://breachattack.com/
.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
Caching
=======