玩转Django的POST请求 CSRF
2024-08-26 05:39:26
玩转Django的POST请求 CSRF
不少麻油们玩django都会碰到这个问题,POST请求莫名其妙的返回 403 foribidden,希望这篇博文能解答所有问题
三种方法
To enable CSRF protection for your views, follow these steps:
1. Add the middleware`django.middleware.csrf.CsrfViewMiddleware` to your list ofmiddleware classes in `setting.py`, MIDDLEWARE_CLASSES. (It should comebefore any view middleware that assume that CSRF attacks havebeen dealt with.)
Alternatively, you can use the decorator `@csrf_protect` on particular viewsyou want to protect (see below).
我尝试了@csrf_exempt也可以呢
8过@csrf_exempt的作用是对当前view方法关闭CSRF
2. In any template that uses a POST form, use the csrf_token tag insidethe <form> element if the form is for an internal URL, e.g.:
`<form action="." method="post">{% csrf_token %}`
This should not be done for POST forms that target external URLs, sincethat would cause the CSRF token to be leaked, leading to a vulnerability.
3. In the corresponding view functions, ensure that the`django.core.context_processors.csrf` context processor isbeing used. Usually, this can be done in one of two ways:
Use RequestContext, which always uses`django.core.context_processors.csrf` (no matter what yourTEMPLATE_CONTEXT_PROCESSORS setting). If you are usinggeneric views or contrib apps, you are covered already, since theseapps use RequestContext throughout.
Manually import and use the processor to generate the CSRF token andadd it to the template context. e.g.:
from django.core.context_processors import csrf
from django.shortcuts import render_to_response
def my_view(request):
c = {}
c.update(csrf(request))
# ... view code here
return render_to_response("a_template.html", c)
You may want to write your ownrender_to_response() wrapper that takes careof this step for you.
The utility script extras/csrf_migration_helper.py can help to automate thefinding of code and templates that may need these steps. It contains full helpon how to use it.
说白了就是需要这些东东
提交的时候得有个csrfmiddlewaretoken
<input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
ajax提交的时候就需要手动添加了:
django在加载form的时候会生成token,同时加到了cookie中
var param = $.param($('#addipModal :input:not(button)'));
$.ajax({
url: "{% url 'attendence:ip_add'%}",
method: "post",
data: param + "&csrfmiddlewaretoken=" + $.cookie('csrftoken'),
success: function(data) {
$("#cancelip").click();
alert(data);
window.location.reload();
}
});
附官方文档地址:https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
最新文章
- diff/merge configuration in Team Foundation - common Command and Argument values - MSDN Blogs
- javascript高级程序设计第四章 变量、作用域和内存问题
- 一段关于测试和自定义Attribute的代码
- [转] OpenStack Kilo 更新日志
- Web前端性能优化教程09:图像和Cookie优化
- PMP 第一章 引论
- onresize方法
- Jquery each() 如何操作动态添加的DOM元素
- web service介绍
- IOS时间格式转换
- nginx日志格式含义
- ARM Cortex-M
- 安装sql server 2008 management studio时,提示升级VS2008 到 SP1
- Python 基础系列一:初识python(二)基本数据类型
- 【重学计算机】操作系统D1章:计算机操作系统概述
- Hibernate的注解和检索
- 【Vue】定义组件 data 必须是一个函数返回的对象
- Fragment回退栈&commit()和commitAllowingStateLoss()
- PHP 测试杂项
- Java 常见面试题(一)