Hacker News new | past | comments | ask | show | jobs | submit login

> you still need hooks in place at your application level to be able to disable csrf checks

Why would you want to disable the csrf check?




One example: for AJAX requests. From http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

Most modern JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP header; these requests are detected and automatically not handled by this [CSRF] middleware. We can do this safely because, in the context of a browser, the header can only be added by using XMLHttpRequest, and browsers already implement a same-domain policy for XMLHttpRequest.


Fair enough, but it doesn't mean your app requires hooks since the middleware can just not use CSRF if the x-requested-with header exists.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: