Domanda
I am currently writing an iOS application that communicates with Django on the server side. When trying to do a POST, I want the communication to conform to the CSRF middleware that Django provides. I have the token properly passing, but in order for it to be fully functional I am also forced to set a header value in my requests:
https://stackoverflow.com/questions/15400076
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian[request setValue:@"https://mysite.com/" forHTTPHeaderField:@"Referer"];
My question is, does hard coding the Referer value pose any security issues? Could someone help me understand why Django does strict checks for this?
Soluzione
Checking the referer is method of CSRF prevention. If an attacker forces a victim's browser into performing a POST or GET request using JavaScript/HTML/Flash, then the referer value will either be blank or URL where the attacker's CSRF exploit originated from. In any case, an attacker cannot set the referer to be https://mysite.com/ in a CSRF exploit, so this check helps mitigate the attack.
Setting the HTTP referer in an iOS app has absolutely zero security impact.
