Exempt CSRF check for a specified list of origins. am I doing right? #7797
Unanswered
wonderbeyond
asked this question in
Question & Answer
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Firstly, I insist on using session-based authentication instead of some token based authentication.
Because in commonly-used token based authentication, the JavaScript code can always read the access token, which is XSS vulnerable.
The "SessionAuthentication" authentication scheme uses Django's session backend, and a django session is established by using a httpOnly cookie which can not be accessed by js code. So using such a session backend can avoid XSS vulnerability.
However, I want my REST API can be accessed from a specific list of origins, especially in testing environment.
So I made a custom authentication scheme
CustomSessionAuthentication
as below:Note I take corsheaders's origin whitelist configurations as my exemption list directly.
Am I doing right? Will I introduce some security holes?
Beta Was this translation helpful? Give feedback.
All reactions