3

I'm currently working on a project that uses Django API server and a NodeJS server running React. In development we're running Django on port 8000 and NodeJS on port 8080, and currently React is responsible for rendering the page and interacting with Django API, which provides data for React. In order for React to call Django APIs, we've enabled CORS in Django since they're on different ports.

My question is the following:

  1. Is it safe to allow all CORS in production?

  2. If not using the templates system by Django, is the site still protected against CSRF by defaults? If not, how to prevent CSRF in such settings (React+Django)?

Tinyik
  • 457
  • 6
  • 21
  • How does the API authenticate users? This is a key question wrt CSRF. Ie. is there a Bearer token, or a session id in a cookie, or something else? – Gabor Lengyel Jan 18 '18 at 22:06

1 Answers1

2

  1. Yes, it's safe to use CORS in production if you allow it for the correct origin domains. For example, if you are using django-cors-headers, use CORS_ORIGIN_ALLOW_ALL=False and a set of domains for CORS_ORIGIN_WHITELIST.

  2. As the answers to this question explain, DRF uses CSRF tokens if using SessionAuthentication. However, if you are using other authentication mechanism (for example, token authentication or JWT) you are however also protected by the client browser not allowing unsecure requests from untrusted origins, i.e. not in your CORS_ORIGIN_WHITELIST. See answers to this question regarding security of CORS vs. CSRF token to prevent CSRF in general.

dukebody
  • 7,025
  • 3
  • 36
  • 61