pyramid.csrf¶
- class LegacySessionCSRFStoragePolicy[source]¶
A CSRF storage policy that defers control of CSRF storage to the session.
This policy maintains compatibility with legacy ISession implementations that know how to manage CSRF tokens themselves via
ISession.new_csrf_tokenandISession.get_csrf_token.Note that using this CSRF implementation requires that a session factory is configured.
New in version 1.9.
- class SessionCSRFStoragePolicy(key='_csrft_')[source]¶
A CSRF storage policy that persists the CSRF token in the session.
Note that using this CSRF implementation requires that a session factory is configured.
keyThe session key where the CSRF token will be stored. Default: _csrft_.
New in version 1.9.
- class CookieCSRFStoragePolicy(cookie_name='csrf_token', secure=False, httponly=False, domain=None, max_age=None, path='/', samesite='Lax')[source]¶
An alternative CSRF implementation that stores its information in unauthenticated cookies, known as the 'Double Submit Cookie' method in the OWASP CSRF guidelines. This gives some additional flexibility with regards to scaling as the tokens can be generated and verified by a front-end server.
New in version 1.9.
- get_csrf_token(request)[source]¶
Get the currently active CSRF token for the request passed, generating a new one using
new_csrf_token(request)if one does not exist. This calls the equivalent method in the chosen CSRF protection implementation.New in version 1.9.
- new_csrf_token(request)[source]¶
Generate a new CSRF token for the request passed and persist it in an implementation defined manner. This calls the equivalent method in the chosen CSRF protection implementation.
New in version 1.9.
- check_csrf_origin(request, trusted_origins=None, raises=True)[source]¶
Check the
Originof the request to see if it is a cross site request or not.If the value supplied by the
OriginorRefererheader isn't one of the trusted origins andraisesisTrue, this function will raise apyramid.exceptions.BadCSRFOriginexception, but ifraisesisFalse, this function will returnFalseinstead. If the CSRF origin checks are successful this function will returnTrueunconditionally.Additional trusted origins may be added by passing a list of domain (and ports if non-standard like
['example.com', 'dev.example.com:8080']) in with thetrusted_originsparameter. Iftrusted_originsisNone(the default) this list of additional domains will be pulled from thepyramid.csrf_trusted_originssetting.Note that this function will do nothing if
request.schemeis nothttps.New in version 1.7.
Changed in version 1.9: Moved from
pyramid.sessiontopyramid.csrf
- check_csrf_token(request, token='csrf_token', header='X-CSRF-Token', raises=True)[source]¶
Check the CSRF token returned by the
pyramid.interfaces.ICSRFStoragePolicyimplementation against the value inrequest.POST.get(token)(if a POST request) orrequest.headers.get(header). If atokenkeyword is not supplied to this function, the stringcsrf_tokenwill be used to look up the token inrequest.POST. If aheaderkeyword is not supplied to this function, the stringX-CSRF-Tokenwill be used to look up the token inrequest.headers.If the value supplied by post or by header cannot be verified by the
pyramid.interfaces.ICSRFStoragePolicy, andraisesisTrue, this function will raise anpyramid.exceptions.BadCSRFTokenexception. If the values differ andraisesisFalse, this function will returnFalse. If the CSRF check is successful, this function will returnTrueunconditionally.See Checking CSRF Tokens Automatically for information about how to secure your application automatically against CSRF attacks.
New in version 1.4a2.
Changed in version 1.7a1: A CSRF token passed in the query string of the request is no longer considered valid. It must be passed in either the request body or a header.
Changed in version 1.9: Moved from
pyramid.sessiontopyramid.csrfand updated to use the configuredpyramid.interfaces.ICSRFStoragePolicyto verify the CSRF token.