Cross Site Request Forgery protection weak to packet sniffing best practice

Django Doctor

Cross Site Request Forgery protection weak to packet sniffing

Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.

CsrfMiddleware marks the CSRF cookie as secure when CSRF_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.

Cookies sent over insecure HTTP are unencrypted, so hackers can steal the CSRF cookie using a packet sniffer - allowing them to use it to trick the browser into thinking a request on their website was performed on your website by the logged a user.-.

So in practice, do this


import os

MIDDLEWARE = [
    'django.middleware.csrf.CsrfViewMiddleware',
    ...
]

# allow it to be turned off in local dev env.
CSRF_COOKIE_SECURE = os.getenv('CSRF_COOKIE_SECURE', True)

Instead of this


MIDDLEWARE = [
    'django.middleware.csrf.CsrfViewMiddleware',
    ...
]

Are you affected? Check with

pip install django-doctor

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-csrf-secure in your pyproject.toml file.

Read more about configuring Django Doctor.

Django Doctor

Cross Site Request Forgery protection weak to packet sniffing

Configuring this check

Further reading