During a penetration test of a Django application, an apparent CSRF bypass was discovered where arbitrary token values were accepted. This turns out to be by design: Django uses a double submit cookie pattern with masking, verifying only that the cookie and form token match rather than validating server-issued origin. The post explains the token generation mechanism, why identical or arbitrary values are accepted, and the real security risks this introduces when combined with XSS, misconfigured cookies, or weak SameSite policies. Recommended hardening includes setting CSRF_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE='Strict', and optionally CSRF_USE_SESSIONS.
Table of contents
ObservationUnderstanding Django’s CSRF DesignToken GenerationWhy It’s Still PassedGet Windasunny ’s stories in your inboxSecurity ImplicationsRecommended HardeningKey TakeawaysFinal ThoughtsReferenceSort: