Skip to content

add HttpHeaderCSRFStoragePolicy#3779

Draft
silenius wants to merge 4 commits into
Pylons:mainfrom
silenius:csrfheader
Draft

add HttpHeaderCSRFStoragePolicy#3779
silenius wants to merge 4 commits into
Pylons:mainfrom
silenius:csrfheader

Conversation

@silenius

@silenius silenius commented Feb 18, 2025

Copy link
Copy Markdown
Contributor

Add a HttpHeaderCSRFStoragePolicy to persists the CSRF token in an HTTP header.
While here, also replace uuid.uuid4() with secrets.token_hex() for the token factory

@luhn

luhn commented Feb 18, 2025

Copy link
Copy Markdown
Contributor

This CSRF policy pulls from request.headers['X-CSRF-Token'] by default and check_csrf_token (the module-level function) pulls from the same, so it ends up a tautology.

@silenius

Copy link
Copy Markdown
Contributor Author

that's right, I missed that..! is using a different key in the CSRF policy an acceptable solution or too fragile?

@luhn

luhn commented Feb 19, 2025

Copy link
Copy Markdown
Contributor

Hard to say, I don't really understand where or how one might use this policy. Can you give a sample use case?

@silenius

silenius commented Feb 20, 2025

Copy link
Copy Markdown
Contributor Author

I just want to store the CSRF token in an header rather than in the session or in a cookie. I'm using JWT tokens and it is often recommended to store the JWT token in a secure onlyHTTP same-site cookie and the CSRF token in header

@silenius silenius marked this pull request as draft February 20, 2025 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants