In Django, if I set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True, it ensures only secure cookies are sent over https.
Now my Django web project serves traffic over both http and https. If I set the aforementioned flags, will it cause any problems for traffic over http? Or that traffic will continue to be served normally?
These settings tell the browser not to send session and csrf cookies over http. So you won't be able to submit forms (unless you explicitly bypass csrf check) and you won't be able to use sessions over http. This is the goal of these settings.
Related
I previously posted about not being able to send HttpOnly cookie from nextJS to django either from getServerSideProps or from useEffect here. I think the reason is that my django and Nextjs are running on different domains. So I need to have same domains for both back-end and front-end. Does it mean that requests from nextJS should go from 127.0.0.1:8000 instead of 127.0.0.1:3000?
If yes, do I need to use proxy within Nextjs?
Also, I have set-up django-cors-headers, does it still require proxy?
Yes. You'll need to set up a proxy server that will forward your requests from 127.0.0.1:3000 to 127.0.0.1:8000. That way, your cookies will be shared with your backend server since the browser will assume they are from the same origin.
As for setting up a http proxy on nextjs, you can refer to this Github Answer
Setting django CORS headers will not apply to your cookies. CORS refers to requests from different origins and setting these headers will allow your backend to receive requests from different origins as you have specified in your allowedHosts declerative. Cookies can be shared within different subdomains but never different domains.
I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here
TO protect app from CSRF attack we set a cookie named XSRF-TOKEN from server side. So from client side code we are able to set-cookie and send across to server, But to validate CSRF in the server side we need to send header while firing 'POST' service call. As per angular document automatically $http sets header X-XSRF-TOKEN by reading the cookie ( Please refer link), but Javascript code is unable to read the cookie though we have deployed our application on same domain.
Server side cookie generation code and service deployment details are as below,
final Cookie newCookie = new Cookie(
"XSRF-TOKEN",
csrfValue);
newCookie.setPath("/");
httpResponse.addCookie(newCookie);
UI is deployed in 8080 port and service is deployed in port 8084 inside same VM
Port 8080 and 8084 are different origins, so you can't read cookies from one on the other, the same as you can't access the cookies of any other website in javascript running on yours.
How does the service authenticate the user? If it's token based, and the token is sent as a request header, you don't even need further protection from csrf.
I am able to setup django-allauth with social login using this tutorial.
However I need running all my website in https.
Can django-allauth be successfully and reliably used with django-sslify?
The web server you're hosting Django in handles SSL. If you put Nginx or Apache in front, for example, they will do all the SSL work. Django won't have any concept of being HTTP vs HTTPS.
The django-sslify module doesn't make a site run in SSL, it just redirects any detected non-SSL request to the equivalent SSL URL.
For django-allauth to work with SSL, all you need to do is ensure the configuration of redirect URLs is set to https://... etc.
I have implemented loadbalancing for my django website. My loadbalancing server is https but my individual servers are http. I have set SESSION_COOKIE_SECURE to True in my individual servers settings.py file.
If I hit the server directly with loadbalancer, Cookie is secured and working fine (Because the loadbalancing server is https secured).
But if I hit individual servers the page is redirected to the login page and the user won't be able to login (Because individual servers are not secured).
As per the django doc, I have included SECURE_PROXY_SSL_HEADER in settings.py but it supports only django 1.4 version. I'm using Django 1.3 for my website.
I need to secure cookie for my loadbalancing server and the realips (individual servers)
Any solution in Django 1.3 ?
Thanks in advance