In addition to CSRF token, verify the origin too

Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes.
author: Donald Stufft <donald@stufft.io> 2016-04-15 20:42:20 -0400
committer: Donald Stufft <donald@stufft.io> 2016-04-16 16:00:45 -0400
commit: 65dee6e4ca0c0c607e97db0c9e55768f10591a58 (patch)
tree: 6185b4704a6de2261d5568773c260d50e209d0aa /docs/narr/viewconfig.rst
parent: 1799be9dd8666d10d6b4a04a9b75fc57f8626c6f (diff)
download: pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.gz
pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.bz2
pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index 3b8f0353a..cd5b8feb0 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -215,6 +215,9 @@ Non-Predicate Arguments
   If this option is set to ``False`` then CSRF checks will be disabled
   regardless of the ``pyramid.require_default_csrf`` setting.
 
+  In addition, if this option is set to ``True`` or a string then CSRF origin
+  checking will be enabled.
+
   See :ref:`auto_csrf_checking` for more information.
 
   .. versionadded:: 1.7
author	Donald Stufft <donald@stufft.io>	2016-04-15 20:42:20 -0400
committer	Donald Stufft <donald@stufft.io>	2016-04-16 16:00:45 -0400
commit	65dee6e4ca0c0c607e97db0c9e55768f10591a58 (patch)
tree	6185b4704a6de2261d5568773c260d50e209d0aa /docs/narr/viewconfig.rst
parent	1799be9dd8666d10d6b4a04a9b75fc57f8626c6f (diff)
download	pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.gz pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.tar.bz2 pyramid-65dee6e4ca0c0c607e97db0c9e55768f10591a58.zip