mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 10:59:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed #31291 -- Renamed salt to mask for CSRF tokens.

Browse source
This commit is contained in:
Ram Rachum 2020-02-25 15:16:19 +02:00 committed by GitHub
parent 271fdab8b7
commit 5b09354954
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 26 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/ref/csrf.txt
View file

@ -239,15 +239,15 @@ The CSRF protection is based on the following things:
set on the request.
In order to protect against `BREACH`_ attacks, the token is not simply the
secret; a random salt is prepended to the secret and used to scramble it.
secret; a random mask is prepended to the secret and used to scramble it.
For security reasons, the value of the secret is changed each time a
user logs in.
#. A hidden form field with the name 'csrfmiddlewaretoken' present in all
outgoing POST forms. The value of this field is, again, the value of the
secret, with a salt which is both added to it and used to scramble it. The
salt is regenerated on every call to ``get_token()`` so that the form field
secret, with a mask which is both added to it and used to scramble it. The
mask is regenerated on every call to ``get_token()`` so that the form field
value is changed in every such response.
This part is done by the template tag.