Everything you didn't want to know about Cross-site Request Forgery (CSRF) in Django
09-23, 11:15–12:05 (Europe/Lisbon), Workshops

Have you ever wondered what Cross-site Request Forgery is all about? Did you solve your CSRF problem in your single-page application by copy-pasting something from StackOverflow or decorating all your views with csrf_exempt without knowing what these things are actually doing? If so, this talk is for you.

In this talk, we will unwrap an underestimated class of security vulnerabilities and explore what Cross-site Request Forgery (CSRF) is all about, what can (and can't) be used to protect against CSRF attacks and how Django (REST Framework) deals with all of it.

If that sounds scary, don't worry. I promise you, your application's business logic is harder to understand than this. After this talk, you won't be confused by CSRF ever again.

What is Cross-site Request Forgery (CSRF) all about?

We will explain the attack flow, involved parties and components in-depth and try to illustrate why protecting against CSRF is so important. We will tinker with some easy to understand examples to explain all of it. The example project will be shared after the talk so that you can try all of it at home. After all, one of the best ways to learn is to experiment!

What can (and can't) be used to protect against CSRF attacks?

Equipped with the knowledge of what Cross-site Request Forgery is, we will talk about the current best practices to prevent CSRF attacks.

How do Django & Django REST Framework prevent CSRF attacks?

In the final, and biggest section of the talk, we will have a look at what Django and Django REST Framework provide to protect our applications against CSRF attacks. We will explain the most important settings and how to configure the system properly. A particular focus will be placed on Single-Page applications, since it's harder and more complex to get this setup up and running.

You should have a basic understanding of how Django and web applications, including HTTP, HTML and JavaScript work. If you have completed the official Django and Django REST Framework tutorial, you should be able to follow this talk quite easily.

Here the link to the slides and projects: https://www.andreas.earth/s/djangocon-22/

Andreas is a lead software development engineer at wirbauen.digital GmbH, a German Construction Tech startup that tries to digitize the construction industry.