Home/ Questions/Q 5937447
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T15:32:34+00:00

The Django documentation on its CSRF protection states that: In addition, for HTTPS requests,

  • 0

The Django documentation on its CSRF protection states that:

In addition, for HTTPS requests,
strict referer checking is done by
CsrfViewMiddleware. This is necessary
to address a Man-In-The-Middle attack
that is possible under HTTPS when
using a session independent nonce, due
to the fact that HTTP ‘Set-Cookie’
headers are (unfortunately) accepted
by clients that are talking to a site
under HTTPS. (Referer checking is not
done for HTTP requests because the
presence of the Referer header is not
reliable enough under HTTP.)

I have trouble visualizing how this attack works. Could somebody explain?

UPDATE:
The wording in the Django doc seems to imply that there is a specific type of man-in-the-middle attack (which leads to a successful CSRF I’d assume) that works with session independent nonce (but not with transaction specific nonce etc., I suppose) and involves the use of ‘Set-Cookie’ header.
So I wanted to know how that specific type of attack works.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The attacker can set the CSRF cookie using Set-Cookie, and then supply a matching token in the POST form data. Since the site does not tie the session cookies to the CSRF cookies, it has no way of determining that the CSRF token + cookie are genuine (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack).

    Directly from the django project

    (I googled for session independent nonce.)

    • 0