Skip to content

How do you secure your GET requests from CSRF? #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ronny-rentner opened this issue Nov 20, 2024 · 3 comments
Closed

How do you secure your GET requests from CSRF? #177

ronny-rentner opened this issue Nov 20, 2024 · 3 comments

Comments

@ronny-rentner
Copy link

How do you protect from CSRF when doing GET requests to trigger actions?
@crccheck
Copy link
Owner

there isn't CSRF protection for GET. There are some middlewares and settings that can help. I can't remember the name of the Django packages that help but there is a list of general security tips at https://docs.djangoproject.com/en/5.1/topics/security/

@ronny-rentner
Copy link
Author

Using GET requests for object actions in the django-object-actions extension (or any framework) can pose significant security risks, particularly in the context of CSRF. Let's break this down in detail:

Why Using GET for Actions Is Problematic
CSRF Vulnerability:

A CSRF attack tricks authenticated users into performing unwanted actions by making them visit a maliciously crafted URL.
Since GET requests don't typically require CSRF tokens, they are more susceptible to such attacks when used for actions.

Example: https://example.com/admin/app/model/object/action?param=value
An attacker could embed this URL in an image tag, email, or script, causing an authenticated admin to unknowingly execute the action.

Violates HTTP Semantics:

The HTTP spec dictates that GET should be safe and idempotent, meaning it should not modify server state. Using GET for actions violates this principle.
Caching Risks:

Intermediaries like proxies or browsers might cache GET responses. If your action modifies data or has sensitive side effects, caching can lead to unpredictable behavior.
Log Exposure:

Sensitive data included in GET query parameters may be logged in server logs, browser histories, or analytics systems.
Specific Risks with django-object-actions
The django-object-actions extension simplifies adding actions to Django admin, often using buttons or links. However, if these actions rely on GET requests:

Unintentional Triggering: Buttons rendered as links can be triggered by crawlers or accidental clicks.
CSRF Exploits: Attackers can embed action URLs to exploit authenticated users.

@crccheck
Copy link
Owner

essentially a duplicate of #16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crccheck @ronny-rentner