Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The global CSRF protection in your Pyramid app has been configured with ‘check_origin=False’, which disables automatic verification of the request’s origin. This weakens the defense against cross-site request forgery attacks, especially if an insecure CSRF storage policy is used.
Impact#
By disabling origin checking, attackers may be able to trick authenticated users into performing unintended actions on your site. This can lead to unauthorized data changes, exposure of sensitive information, or other malicious activities, putting your users and application at risk.