Scheming with CSRF: When platforms manage to break things.

Oct 18 12:00 PM PDT :calendar: to 12:25 pm
Audience level: All

About This Talk

When Django 4.0 was released, a small change to the CSRF_TRUSTED_ORIGINS was in the change notes: the scheme must now be provided.

This change would cause any deployment on Cloud Run to fail. But not App Engine. 🤔

Follow along as we dive into the complexities that Django saves you from, what managed services handle for you (that you have no control over), and what happens when these things don’t work as expected. We’ll dive into PEP-3333, CGI specifications, WSGI implementations, and what happens when the standards don’t actually tell you what to do.

Attendees will come away with an understanding of how important it is to set ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS to prevent all this in the first place.

A note on Audience Level: This talk is written to be accessible to beginners, while tackling advanced topics. This speaker is happy to help any attendee lost with the content after the talk in the conference hallway ✨


    Photo of Katie McLaughlin

    Katie McLaughlin (she/they)

    Katie has worn many different hats over the years. She has been a software developer for many languages, systems administrator for multiple operating systems, and speaker on many different topics.

    She is currently a Developer Advocate for Google Cloud, where she helps improve the experience of the platform for Python and Django developers.

    When she’s not changing the world, she enjoys cooking, making tapestries, and seeing just how well various application stacks handle emoji.