Fixed #32800 -- Changed CsrfViewMiddleware not to mask the CSRF secret.

This also adds CSRF_COOKIE_MASKED transitional setting helpful in migrating multiple instance of the same project to Django 4.1+. Thanks Florian Apolloner and Shai Berger for reviews. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-08-04 02:48:35 +00:00 · 2021-08-17 09:13:13 -04:00 · 2021-08-17 09:13:13 -04:00 · 5d80843ebc
commit 5d80843ebc
parent 05e29da421
10 changed files with 284 additions and 143 deletions
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -347,6 +347,22 @@ form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie

 See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.

+.. setting:: CSRF_COOKIE_MASKED
+
+``CSRF_COOKIE_MASKED``
+----------------------
+
+.. versionadded:: 4.1
+
+Default: ``False``
+
+Whether to mask the CSRF cookie. See
+:ref:`release notes <csrf-cookie-masked-usage>` for usage details.
+
+.. deprecated:: 4.1
+
+    This transitional setting is deprecated and will be removed in Django 5.0.
+
 .. setting:: CSRF_COOKIE_NAME

 ``CSRF_COOKIE_NAME``