Is CSRF neccesary with django-rest-knox?

Question

Is CSRF neccesary with django-rest-knox?

tim89643 opened this issue 2 years ago · 3 comments

Hi!

Is it correct that I can safely disable CSRF on all endpoints that are protected with django-rest-knox?

Looking into authentication methods and CSRF I learned:

If authentication isn't automatic (typically provided by the browser) then you don't have to worry about CSRF protection. If your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible. (source)

While this is talking about JWT-token, it also seems to apply to the bearer tokens that django-rest-knox uses (?)

I'm looking for some confirmation or counter points to my current understanding. All input is appreciated!

Sidenote:
I've currently disabled CSRF by setting django-drf DEFAULT_AUTHENTICATION_CLASSES = knox.auth.TokenAuthentication:

Answer 1 · 2022-12-02T14:40:11.000Z

I'm no expert but this Information Security Stack Exchange thread seems to agree with you

Answer 2 · 2022-12-02T21:53:53.000Z

If you are using it in the browser, you should store the token in a secret (http-safe) cookie which in turn requires csrf to be fully protected.

If you are using it in a server to server scenario, you don’t need csrf.

Answer 3 · 2022-12-09T02:15:00.000Z

Ok, that clears it up. Thank you