We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Scheming with CSRF: When platforms manage to break things with Katie McLaughlin - DjangoCon US 2022
Discover how Django's CSRF protection can be broken and explore the limitations of managed services, WSGI, and Gunicorn in this talk about security, standards, and best practices for building robust web applications.
-
CSRF protection in Django
- Handles unsafe methods (e.g., POST, PUT, DELETE)
- Checks for secure requests
-
Django 4.0 release changes
- Improved CSRF protection
-
New
origin_checkedmethod
-
WSGI (Web Server Gateway Interface) and Django
- Defined standard for web servers and applications
- Django uses WSGI to interact with web servers
-
Gunicorn and Django
- Gunicorn is a WSGI server
- Django can work with Gunicorn
-
Managed services and Django
- Cloud Run, App Engine, and other managed services can run Django
- Each service has its own configuration and requirements
-
Origin header and CSRF
- Origin header is sent in HTTP requests
- Django checks the origin header against trusted origins
-
URLs and scheme
-
URLs include scheme (e.g.,
http://orhttps://) - Django generates URLs with scheme included
-
URLs include scheme (e.g.,
-
RFCs (Requests for Comments) and standards
- RFCs define standards for the internet
- PEPs (Python Enhancement Proposals) are used for Python-specific standards