diff options
| author | Bert JW Regeer <xistence@0x58.com> | 2016-04-15 16:39:16 -0600 |
|---|---|---|
| committer | Bert JW Regeer <xistence@0x58.com> | 2016-04-15 16:39:16 -0600 |
| commit | d534c450deeb0163629d7993f6faf12a97b2813c (patch) | |
| tree | 378c537494498bf517562e41baccb8ce43a8145b /docs/whatsnew-1.7.rst | |
| parent | bf33b200bbb72114ca55150724b0a4c51d7ef535 (diff) | |
| parent | 21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173 (diff) | |
| download | pyramid-d534c450deeb0163629d7993f6faf12a97b2813c.tar.gz pyramid-d534c450deeb0163629d7993f6faf12a97b2813c.tar.bz2 pyramid-d534c450deeb0163629d7993f6faf12a97b2813c.zip | |
Merge pull request #2500 from dstufft/improve-csrf
Increase the protection provided by the CSRF checks
Diffstat (limited to 'docs/whatsnew-1.7.rst')
| -rw-r--r-- | docs/whatsnew-1.7.rst | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/whatsnew-1.7.rst b/docs/whatsnew-1.7.rst index 83ece690e..b85e65ec1 100644 --- a/docs/whatsnew-1.7.rst +++ b/docs/whatsnew-1.7.rst @@ -39,14 +39,14 @@ Feature Additions to security checks. See https://github.com/Pylons/pyramid/pull/2021 - Added a new setting, ``pyramid.require_default_csrf`` which may be used - to turn on CSRF checks globally for every POST request in the application. + to turn on CSRF checks globally for every request in the application. This should be considered a good default for websites built on Pyramid. It is possible to opt-out of CSRF checks on a per-view basis by setting ``require_csrf=False`` on those views. See :ref:`auto_csrf_checking` and https://github.com/Pylons/pyramid/pull/2413 -- Added a ``require_csrf`` view option which will enforce CSRF checks on POST +- Added a ``require_csrf`` view option which will enforce CSRF checks on requests. If the CSRF check fails a ``BadCSRFToken`` exception will be raised and may be caught by exception views (the default response is a ``400 Bad Request``). This option should be used in place of the deprecated |