pyramid.csrf
¶
- class LegacySessionCSRFStoragePolicy[source]¶
A CSRF storage policy that defers control of CSRF storage to the session.
This policy maintains compatibility with legacy ISession implementations that know how to manage CSRF tokens themselves via
ISession.new_csrf_token
andISession.get_csrf_token
.Note that using this CSRF implementation requires that a session factory is configured.
New in version 1.9.
- class SessionCSRFStoragePolicy(key='_csrft_')[source]¶
A CSRF storage policy that persists the CSRF token in the session.
Note that using this CSRF implementation requires that a session factory is configured.
key
The session key where the CSRF token will be stored. Default: _csrft_.
New in version 1.9.
- class CookieCSRFStoragePolicy(cookie_name='csrf_token', secure=False, httponly=False, domain=None, max_age=None, path='/', samesite='Lax')[source]¶
An alternative CSRF implementation that stores its information in unauthenticated cookies, known as the 'Double Submit Cookie' method in the OWASP CSRF guidelines. This gives some additional flexibility with regards to scaling as the tokens can be generated and verified by a front-end server.
New in version 1.9.
- get_csrf_token(request)[source]¶
Get the currently active CSRF token for the request passed, generating a new one using
new_csrf_token(request)
if one does not exist. This calls the equivalent method in the chosen CSRF protection implementation.New in version 1.9.
- new_csrf_token(request)[source]¶
Generate a new CSRF token for the request passed and persist it in an implementation defined manner. This calls the equivalent method in the chosen CSRF protection implementation.
New in version 1.9.
- check_csrf_origin(request, trusted_origins=None, raises=True)[source]¶
Check the
Origin
of the request to see if it is a cross site request or not.If the value supplied by the
Origin
orReferer
header isn't one of the trusted origins andraises
isTrue
, this function will raise apyramid.exceptions.BadCSRFOrigin
exception, but ifraises
isFalse
, this function will returnFalse
instead. If the CSRF origin checks are successful this function will returnTrue
unconditionally.Additional trusted origins may be added by passing a list of domain (and ports if non-standard like
['example.com', 'dev.example.com:8080']
) in with thetrusted_origins
parameter. Iftrusted_origins
isNone
(the default) this list of additional domains will be pulled from thepyramid.csrf_trusted_origins
setting.Note that this function will do nothing if
request.scheme
is nothttps
.New in version 1.7.
Changed in version 1.9: Moved from
pyramid.session
topyramid.csrf
- check_csrf_token(request, token='csrf_token', header='X-CSRF-Token', raises=True)[source]¶
Check the CSRF token returned by the
pyramid.interfaces.ICSRFStoragePolicy
implementation against the value inrequest.POST.get(token)
(if a POST request) orrequest.headers.get(header)
. If atoken
keyword is not supplied to this function, the stringcsrf_token
will be used to look up the token inrequest.POST
. If aheader
keyword is not supplied to this function, the stringX-CSRF-Token
will be used to look up the token inrequest.headers
.If the value supplied by post or by header cannot be verified by the
pyramid.interfaces.ICSRFStoragePolicy
, andraises
isTrue
, this function will raise anpyramid.exceptions.BadCSRFToken
exception. If the values differ andraises
isFalse
, this function will returnFalse
. If the CSRF check is successful, this function will returnTrue
unconditionally.See Checking CSRF Tokens Automatically for information about how to secure your application automatically against CSRF attacks.
New in version 1.4a2.
Changed in version 1.7a1: A CSRF token passed in the query string of the request is no longer considered valid. It must be passed in either the request body or a header.
Changed in version 1.9: Moved from
pyramid.session
topyramid.csrf
and updated to use the configuredpyramid.interfaces.ICSRFStoragePolicy
to verify the CSRF token.