In addition to CSRF token, verify the origin too

Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes.
author: Donald Stufft <donald@stufft.io> 2016-04-15 20:42:20 -0400
committer: Donald Stufft <donald@stufft.io> 2016-04-16 16:00:45 -0400
commit: 65dee6e4ca0c0c607e97db0c9e55768f10591a58 (patch)
tree: 6185b4704a6de2261d5568773c260d50e209d0aa /docs/api/session.rst
parent: 1799be9dd8666d10d6b4a04a9b75fc57f8626c6f (diff)
download: pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.gz
pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.bz2
pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/docs/api/session.rst b/docs/api/session.rst
index 474e2bb32..56c4f52d7 100644
--- a/docs/api/session.rst
+++ b/docs/api/session.rst
@@ -9,6 +9,8 @@
 
   .. autofunction:: signed_deserialize
 
+  .. autofunction:: check_csrf_origin
+
   .. autofunction:: check_csrf_token
 
   .. autofunction:: SignedCookieSessionFactory
author	Donald Stufft <donald@stufft.io>	2016-04-15 20:42:20 -0400
committer	Donald Stufft <donald@stufft.io>	2016-04-16 16:00:45 -0400
commit	65dee6e4ca0c0c607e97db0c9e55768f10591a58 (patch)
tree	6185b4704a6de2261d5568773c260d50e209d0aa /docs/api/session.rst
parent	1799be9dd8666d10d6b4a04a9b75fc57f8626c6f (diff)
download	pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.gz pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.bz2 pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.zip