I recently gave a talk about Cross-site Request Forgery in Django at DjangoCon Europe 2022 in Porto. You can find the slides here. Unfortunately, which I didn't know at the time, no official recording of the workshop was done. However, I still have a recording of one of the test runs I did in preparation for the workshop. It has some rough edges and isn't as smooth as I would like, but if you are interested in the workshop it's better than nothing. You can find the recoding here. I recommend listening to it at 1.5x speed.
Here the two demo projects I setup for the talk:
Resources
This is a list of most of the resources I used when preparing for the talk.
Origin and Site
Same-origin Policy
Cross-site Request Forgery
- Wikipedia — Cross-site Request Forgery
- CORS Simple Requests
- OWASP — CSRF Overview
- OWASP — CSRF Testing guide
- OWASP — CSRF Prevention Cheatsheet
- PortSwigger — Cross-site request forgery (CSRF)
- CORS and CSRF interplay
- CSRF and Origin Header
- Cross-tab CSRF token sharing
- CSRF with JSON POST
- HTML JSON Forms Draft
- Demystifying CORS, CSRF tokens, SameSite & Clickjacking - Web Security
Cookies
Cookie Security in General
- What all Developers need to know about: Cookie Security
- Web Security: How to Harden your HTTP cookies
SameSite Cookies
- MDN Web Docs — SameSite Cookie
- Simon Willison — SameSite Cookies and Django
- jub0bs.com — The great SameSite confusion
- Secure flag for SameSite=None
- SameSite Cookie and General CSRF overview (German)
- web.dev — SameSite Cookies explained
- Will same-site cookies be sufficient protection against CSRF and XSS?
- PortSwigger — Defending against CSRF with SameSite cookies
Django
Django Docs
- Cross-site Rquest Forgery protection & Limitations
- How to use Django's CSRF protection
- CsrfViewMiddleware masks CSRF cookie changes
- Django 4.1 changes, search for CSRF
- Django CSRF settings
- How does the Django Cross-site request forgery protection work?