CSRF protection in subdomains

kfan · April 29, 2025, 11:33pm

See this thread about signing the CSRF cookie to increase protection in subdomains: Signing the CSRF cookie

You can override Django’s CSRF middleware, specifically the methods _get_secret and _set_csrf_cookie to perform otherwise the same logic but instead use request.get_signed_cookie and response.set_signed_cookie respectively.

If you override Django’s CSRF middleware to add this additional protection, then you likely will have to override Django’s LoginView (if you are using it) since the built-in LoginView uses Django’s built-in csrf middleware on this line @method_decorator(csrf_protect)

Topic		Replies	Views
Django 4.0 wildcard subdomain preventing from setting csrf token Using Django	28	7571	January 19, 2022
Truly Separate Subdomain Sessions Using Django	3	238	May 12, 2025
Signing the CSRF cookie Django Internals	6	263	April 29, 2025
403 Forbidden due to CSRF validation failing on client domains Using Django	2	900	June 17, 2020
Multiple csrftoken cookies Using Django	3	1097	March 29, 2021

CSRF protection in subdomains

Related topics