zoukankan      html  css  js  c++  java
  • 玩转Django的POST请求 CSRF

    玩转Django的POST请求 CSRF

    不少麻油们玩django都会碰到这个问题,POST请求莫名其妙的返回 403 foribidden,希望这篇博文能解答所有问题

    三种方法

    To enable CSRF protection for your views, follow these steps:
    
    1. Add the middleware`django.middleware.csrf.CsrfViewMiddleware` to your list ofmiddleware classes in `setting.py`, MIDDLEWARE_CLASSES. (It should comebefore any view middleware that assume that CSRF attacks havebeen dealt with.)
    
    Alternatively, you can use the decorator `@csrf_protect` on particular viewsyou want to protect (see below).
    

    我尝试了@csrf_exempt也可以呢
    8@csrf_exempt的作用是对当前view方法关闭CSRF

    2. In any template that uses a POST form, use the csrf_token tag insidethe <form> element if the form is for an internal URL, e.g.:
    
    `<form action="." method="post">{% csrf_token %}`
    This should not be done for POST forms that target external URLs, sincethat would cause the CSRF token to be leaked, leading to a vulnerability.
    
    3. In the corresponding view functions, ensure that the`django.core.context_processors.csrf` context processor isbeing used. Usually, this can be done in one of two ways:
    
    Use RequestContext, which always uses`django.core.context_processors.csrf` (no matter what yourTEMPLATE_CONTEXT_PROCESSORS setting). If you are usinggeneric views or contrib apps, you are covered already, since theseapps use RequestContext throughout.
    
    Manually import and use the processor to generate the CSRF token andadd it to the template context. e.g.:
    
    from django.core.context_processors import csrf
    from django.shortcuts import render_to_response
    
    def my_view(request):
        c = {}
        c.update(csrf(request))
        # ... view code here
        return render_to_response("a_template.html", c)
    You may want to write your ownrender_to_response() wrapper that takes careof this step for you.
    
    The utility script extras/csrf_migration_helper.py can help to automate thefinding of code and templates that may need these steps. It contains full helpon how to use it.
    

    说白了就是需要这些东东

    提交的时候得有个csrfmiddlewaretoken

    <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
    

    ajax提交的时候就需要手动添加了:
    django在加载form的时候会生成token,同时加到了cookie中

            var param = $.param($('#addipModal :input:not(button)'));
            $.ajax({
                url: "{% url 'attendence:ip_add'%}",
                method: "post",
                data: param + "&csrfmiddlewaretoken=" + $.cookie('csrftoken'),
                success: function(data) {
                    $("#cancelip").click();
                    alert(data);
                    window.location.reload();
                }
            });
    

    附官方文档地址:https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

  • 相关阅读:
    MYSQL查询优化:profile功能
    MYSQL查询优化:调度和锁定
    SSL/TLS 协议详解
    flash传值给javascript,并在html页面输出
    【图片预加载】
    【minheight】最小高度 IE6、7、FF
    【图片等比缩放】CSS解决
    标签的空链接 href="#" 替换方案
    【实现三角】css的border属性解决方案
    【PNG在IE6下透明】——3种方案
  • 原文地址:https://www.cnblogs.com/wancy86/p/django_post.html
Copyright © 2011-2022 走看看