diff options
| author | Donald Stufft <donald@stufft.io> | 2016-04-15 17:59:55 -0400 |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2016-04-15 18:31:23 -0400 |
| commit | 21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173 (patch) | |
| tree | 378c537494498bf517562e41baccb8ce43a8145b /docs/whatsnew-1.7.rst | |
| parent | f12005b92fa9bb33f082bd50747eb11791605cff (diff) | |
| download | pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.tar.gz pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.tar.bz2 pyramid-21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173.zip | |
Have Automatic CSRF on all unsafe HTTP methods
Instead of only protecting against unsafe POST requests, have the automatic
CSRF protect on all methods which are not defined as "safe" by RFC2616.
Diffstat (limited to 'docs/whatsnew-1.7.rst')
| -rw-r--r-- | docs/whatsnew-1.7.rst | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/whatsnew-1.7.rst b/docs/whatsnew-1.7.rst index 83ece690e..b85e65ec1 100644 --- a/docs/whatsnew-1.7.rst +++ b/docs/whatsnew-1.7.rst @@ -39,14 +39,14 @@ Feature Additions to security checks. See https://github.com/Pylons/pyramid/pull/2021 - Added a new setting, ``pyramid.require_default_csrf`` which may be used - to turn on CSRF checks globally for every POST request in the application. + to turn on CSRF checks globally for every request in the application. This should be considered a good default for websites built on Pyramid. It is possible to opt-out of CSRF checks on a per-view basis by setting ``require_csrf=False`` on those views. See :ref:`auto_csrf_checking` and https://github.com/Pylons/pyramid/pull/2413 -- Added a ``require_csrf`` view option which will enforce CSRF checks on POST +- Added a ``require_csrf`` view option which will enforce CSRF checks on requests. If the CSRF check fails a ``BadCSRFToken`` exception will be raised and may be caught by exception views (the default response is a ``400 Bad Request``). This option should be used in place of the deprecated |