From 65dee6e4ca0c0c607e97db0c9e55768f10591a58 Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Fri, 15 Apr 2016 20:42:20 -0400
Subject: In addition to CSRF token, verify the origin too

Add an additional layer of protection against CSRF by verifying the actual
origin of the request in addition to the CSRF token. We only do this check on
sites hosted behind HTTPS because only HTTPS sites have evidence to show that
the Referrer header is not being spuriously removed by random middleware
boxes.
---
 docs/api/exceptions.rst | 2 ++
 docs/api/session.rst    | 2 ++
 2 files changed, 4 insertions(+)

(limited to 'docs/api')

diff --git a/docs/api/exceptions.rst b/docs/api/exceptions.rst
index faca0fbb6..cb411458d 100644
--- a/docs/api/exceptions.rst
+++ b/docs/api/exceptions.rst
@@ -5,6 +5,8 @@
 
 .. automodule:: pyramid.exceptions
 
+  .. autoexception:: BadCSRFOrigin
+
   .. autoexception:: BadCSRFToken
 
   .. autoexception:: PredicateMismatch
diff --git a/docs/api/session.rst b/docs/api/session.rst
index 474e2bb32..56c4f52d7 100644
--- a/docs/api/session.rst
+++ b/docs/api/session.rst
@@ -9,6 +9,8 @@
 
   .. autofunction:: signed_deserialize
 
+  .. autofunction:: check_csrf_origin
+
   .. autofunction:: check_csrf_token
 
   .. autofunction:: SignedCookieSessionFactory
-- 
cgit v1.2.3