So I am working on a project where there is going to be a Security review to ensure that we are keeping certain data safe (student data to be specific). I personally don't need to worry too much about this right now as the plan is "dev now, secure later" so in some sense I am doing "premature security optimization" but I'd like to know anyway.
I'm using django which has some cross site request forgery protection built in. If I enable it I can't preform file uploads but the solution it gives is to require a crsf_token to be put in a form but I don't actually have a form as this part of the project is a just a service. So I am wondering is it safe to mark this as exempt from CSRF protection?
There are no cookies set, there is no session stored, and every request must be authenticated via a small set of self signed certificates I create and will only be giving to the small set of trusted people (currently 1). It does not seem to me that CSRF applies here so that means I can mark what I need to as exempt from CSRF protection right?
I don't know the ins and outs of your site but I would say no, it is not exempt from CSRF protection.
Say your site was https://www.example.com and I am assuming the self signed certificates are SSL certificates used from the client side like this.
Now say they can interact with your site and as they've installed their client cert in their browser. Now, say one of your users accidentally visits www.evil.com. www.evil.com has a hidden form that makes a request to your website from your users's browser. This form submits to https://www.example.com/delete_everything.
Before your site does anything, it checks the client certificate - hey it is valid so proceeds to do it's stuff.
This is why you need CSRF protection - something within the payload of the submitted form that needs to be first read from your own site (e.g. a token). If www.evil.com tries to read this via the user's browser, they cannot as it is protected by the Same Origin Policy.