2

I’m making a simple Django app that takes data from a user submitted form, creates an image based on the data and displays the image to the user. The problem is that the form needs to be on an existing Wordpress site. The app will only perform this one task, and the image will be discarded, so there will be no user authentication, sessions, or anything like that. Is it safe to use @csrf_exempt to make this work?

Some of the answers to Do CSRF attacks apply to API's? suggest that a csrf token is not necessary if there is no user auth. However, some of the answers also suggest that there should be some other form of authentication in place instead.

And the answer to Django - CSRF verification failed - send data from form on static website to my django app suggests that there is a way to add a csrf token to a third party site, and this would make @csrf_exempt unnecessary.

Which of these approaches is right? If my understanding of csrf is correct it makes sense to me that there is no risk of csrf without user authentication. Such an attack would not be able to achieve anything, since the third party making the attack could not perform any task they can’t perform already?

The importance of csrf protection is emphasised so much in the learning resources, I just want to be really sure I don’t need it before I turn it off!

Thanks for your help!

Paul Griffin
  • 133
  • 1
  • 6

1 Answers1

1

Your analysis is right.

CSRF protections are necessary because browsers send the target domain's cookies regardless of what domain makes the request. If your server doesn't make use of cookies (for authentication or anything else) then you are not at risk for the kinds of attacks CSRF is designed to prevent.

Some of the answers to Do CSRF attacks apply to API's? suggest that a csrf token is not necessary if there is no user auth. However, some of the answers also suggest that there should be some other form of authentication in place instead.

There are, of course, pros and cons of different forms of authentication (specifically, cookie-and-session-based vs header-and-token-based), but I don't see anyone suggesting that you should use some other form of authentication instead of no authentication at all.

Kevin Christopher Henry
  • 46,175
  • 7
  • 116
  • 102
  • I see. I took "However, you should still follow best practices and protect every API-endpoint that actually makes a change with some form of authentication, such as OAuth." to mean that there should always be authentication in place, but for this use case I don't need it? – Paul Griffin Oct 27 '17 at 12:51
  • @PaulGriffin: That question was specifically about APIs, which are designed to be used programmatically and often require authentication. Authentication is used to protect private (per-user) resources and to allow tracking and limiting of API usage. Those don't seem to apply to the situation you described. – Kevin Christopher Henry Oct 27 '17 at 13:13