Does that mean, as I expect, that it is safe to generate and use a random CSRF token (through a reimplementation of how it is generated from Django) from a browser SPA before each request?
I already have a working PoC, I’m hesitating to clean and publish it as a standalone lib, but I don’t want to do it if:
this is actually insecure
this could break without notice from any Django update as the methods responsible for token generation are supposed to be used internally (it would be ok to me if that was at least considered a breaking change and I would be sure it would end-up in the changelog, but I don’t think that would be the case, as the frontend isn’t supposed to know the nature of the CSRF Token it handles)
Which points to Google Groups discussion where Django security team member explains the details and reasoning behind the implementation. I recommend the full read of it.
Exactly, my link was directly pointing to that specific subsection
That’s why it also seemed secure to me to generate it frontend-side, but you never know… I’d rather ask anyway, thanks for your answer
My only fear now is that the way Django generates and consumes those tokens could change in a higher version (what ends-up being stored in the cookies is not just a random string)
I’ll probably just add a way to automatically check that if I end-up releasing that lib, thank you