diff options
| author | Donald Stufft <donald@stufft.io> | 2016-04-15 17:59:55 -0400 |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2016-04-15 18:31:23 -0400 |
| commit | 21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173 (patch) | |
| tree | 378c537494498bf517562e41baccb8ce43a8145b /docs/narr | |
| parent | f12005b92fa9bb33f082bd50747eb11791605cff (diff) | |
| download | pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.tar.gz pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.tar.bz2 pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.zip | |
Have Automatic CSRF on all unsafe HTTP methods
Instead of only protecting against unsafe POST requests, have the automatic
CSRF protect on all methods which are not defined as "safe" by RFC2616.
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/sessions.rst | 9 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 9 |
2 files changed, 10 insertions, 8 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index ad086268b..0e895ff81 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -411,15 +411,16 @@ Checking CSRF Tokens Automatically .. versionadded:: 1.7 -:app:`Pyramid` supports automatically checking CSRF tokens on POST requests. -Any other request may be checked manually. This feature can be turned on -globally for an application using the ``pyramid.require_default_csrf`` setting. +:app:`Pyramid` supports automatically checking CSRF tokens on requests with an +unsafe method as defined by RFC2616. Any other request may be checked manually. +This feature can be turned on globally for an application using the +``pyramid.require_default_csrf`` setting. If the ``pyramid.required_default_csrf`` setting is a :term:`truthy string` or ``True`` then the default CSRF token parameter will be ``csrf_token``. If a different token is desired, it may be passed as the value. Finally, a :term:`falsey string` or ``False`` will turn off automatic CSRF checking -globally on every POST request. +globally on every request. No matter what, CSRF checking may be explicitly enabled or disabled on a per-view basis using the ``require_csrf`` view option. This option is of the diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 40db5fbeb..3b8f0353a 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -195,10 +195,11 @@ Non-Predicate Arguments ``require_csrf`` - CSRF checks only affect POST requests. Any other request methods will pass - untouched. This option is used in combination with the - ``pyramid.require_default_csrf`` setting to control which request parameters - are checked for CSRF tokens. + CSRF checks will affect any request method that is not defined as a "safe" + method by RFC2616. In pratice this means that GET, HEAD, OPTIONS, and TRACE + methods will pass untouched and all others methods will require CSRF. This + option is used in combination with the ``pyramid.require_default_csrf`` + setting to control which request parameters are checked for CSRF tokens. This feature requires a configured :term:`session factory`. |