Cross Site Request Forgery protection weak to packet sniffing
Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.
CsrfMiddleware marks the CSRF cookie as secure when CSRF_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.
Cookies sent over insecure HTTP are unencrypted, so hackers can steal the CSRF cookie using a packet sniffer - allowing them to use it to trick the browser into thinking a request on their website was performed on your website by the logged a user.-.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just now1 | + | MIDDLEWARE = [ | |
2 | + | 'django.middleware.csrf.CsrfViewMiddleware', | |
3 | + | ... | |
4 | + | ] |
Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.
+ | |
+ | # feature flagged so can turn off in local development |
+ | CSRF_COOKIE_SECURE = literal_eval(getenv("HTTPS_ONLY", "True")) |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more