Missing Cross-Site Request Forgery (CSRF) token(s)

• Rule ID: python_django_csrf_protection_disabled
• Languages: python
• Source: csrf_protection_disabled.yml

Description

In a Django application, using @csrf_exempt to disable CSRF (Cross-Site Request Forgery) protection can introduce increased security risks. CSRF is a forgery attack that tricks authenticated users into executing unintended actions on the website, potentially compromising security or data integrity of your application.

Remediations

• Do not mark Djanog routes as CSRF exempt

  @csrf_exempt # unsafe
  def my_risky_route():

References

• Django CSRF protection

Associated CWE

• CWE-352: Cross-Site Request Forgery (CSRF)

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_csrf_protection_disabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_csrf_protection_disabled