CSRF protection in subdomains

tildebox · January 28, 2023, 11:47am

On the website, customers automatically receive a subdomain when registering.

I read up on CSRF and CSRF in subdomains can apparently be solved using CSRF_COOKIE_DOMAIN.

Nevertheless, the following lines in the official Django documentation give me a headache:

Limitations
Subdomains within a site will be able to set cookies on the client for the whole domain. By setting the cookie and using a corresponding token, subdomains will be able to circumvent the CSRF protection. The only way to avoid this is to ensure that subdomains are controlled by trusted users (or, are at least unable to set cookies). Note that even without CSRF, there are other vulnerabilities, such as session fixation, that make giving subdomains to untrusted parties a bad idea, and these vulnerabilities cannot easily be fixed with current browsers.

Source: Cross Site Request Forgery protection | Django documentation | Django

How can I increase protection in subdomains?

KenWhitesell · January 29, 2023, 12:06am

It as much depends upon how much control you have over that subdomain as anything else.

If all traffic to/from that domain is going through your Django stack, and no one else has the ability to handle requests for that subdomain, you could probably greatly improve the situation by adding some middleware to filter the cookies being sent/received.
(That’s in part what’s implied by “(or, are at least unable to set cookies)”.)

Topic		Replies	Views
Django 4.0 wildcard subdomain preventing from setting csrf token Using Django	28	6494	January 19, 2022
Signing the CSRF cookie Django Internals	5	67	October 1, 2024
How CSRF protection works? Using Django	0	549	November 30, 2021
Skip CSRF token checking Django Internals	14	2368	February 17, 2024
How to use Cross Site Request Forgery protection correctly? Using Django	2	558	February 16, 2021

CSRF protection in subdomains

Related topics