You don't need to store CSRF in sessions. Django doesn't by default. CSRF token ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hansonkd 6 months ago \| parent \| context \| favorite \| on: Why do we have both CSRF protection and CORS? You don't need to store CSRF in sessions. Django doesn't by default. CSRF token can be entirely separate from sessions.

smagin 6 months ago [–]

not even you don't need to, you shouldn't. Sessions shouldn't be accessible to js at all

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact