CSRF protection in subdomains

tildebox · January 28, 2023, 11:47am

On the website, customers automatically receive a subdomain when registering.

I read up on CSRF and CSRF in subdomains can apparently be solved using CSRF_COOKIE_DOMAIN.

Nevertheless, the following lines in the official Django documentation give me a headache:

Limitations
Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers.

Source: Cross Site Request Forgery protection | Django documentation | Django

How can I increase protection in subdomains?

KenWhitesell · January 29, 2023, 12:06am

It as much depends upon how much control you have over that subdomain as anything else.

If all traffic to/from that domain is going through your Django stack, and no one else has the ability to handle requests for that subdomain, you could probably greatly improve the situation by adding some middleware to filter the cookies being sent/received.
(That’s in part what’s implied by “(or, are at least unable to set cookies)”.)

Topic		Replies	Views
Skip CSRF token checking Django Internals	14	756	February 17, 2024
How to use Cross Site Request Forgery protection correctly? Using Django	2	494	February 16, 2021
How to send Django CSRF token in response header (insted of cookies) Forms & APIs	1	1173	December 7, 2022
Safari not including csrf cookie in post request Mystery Errors	2	2442	June 20, 2022
CSRF protection for REST APIs Using Django	3	2082	December 1, 2021

CSRF protection in subdomains

Related Topics