Cross Site Request Forgeries

Posted in:

I've implemented a module that provides protection against Cross Site Request Forgeries for Django – and as always with both Python and Django, I've got that "surely it can't be that easy" feeling.

I've put up a quick download page for CsrfMiddleware, which includes how it works, so I don't need to add that here. I've still got one thing to add - the ability to selectively turn it off, in case you have parts of your site for which it would just get in the way. But that can be added later.

I felt a bit silly writing the download page, as it is significantly longer than the code itself! Django (and the Python language) makes so many things so easy. Django's tagline – "the web framework for perfectionists with deadlines" – is not an overstatement. I've been loving the fact that I can develop a very professional website at great speed in the few hours of spare time I have in evenings and at weekends. But with this kind of thing, Django proves that it really can cater for the perfectionist in terms of security too. With about 70 lines of python, I've implemented a generic security mechanism for a type of attack that most web sites haven't even thought about yet, and it requires a total of 2 (two) lines to add this to your Django-driven site.

At work I have the misfortune of using Microsoft Content Management Server, which uses ASP.NET. In every way – in terms of development speed, output quality, and web site performance – the contrast is immense. Getting back into C# and ASP.NET after some hacking on my (unfinished) Django-driven site can be like torture some days.

Update 2017: This module eventually became the basis for the built-in CSRF protection that Django now uses. But you should obviously use the built-in version!

Comments §

Comments should load when you scroll to here...