We are all going to different lives, hoping to earn something more precious than money in the days when we can't make a lot of money.
Cross-domain issues
The cross-domain problem occurs when the browser sends a request to the backend, and the backend returns data to the frontend. Usually the back-end will return data normally, but the front-end will determine that the url of the returned data at this time is different from the url of the front-end project for the first time, and will choose to refuse to accept the data. At this time, a cross-domain has occurred. This is also caused by the browser's same-origin policy.
Cross-domain mainly refers to the inconsistency of domain name, port, and IP.
The browser's same-origin policy also avoids some security issues. The so-called homology refers to the same "protocol + domain name + port". Even if two different domain names point to the same ip address, they are not homologous.
If there is no same-origin policy, such as a virus in the user’s computer, when the user visits website A, the virus will insert the command to visit unknown website B into the data before returning the data. At this time, website B will take normal user’s cookie to go. Doing something unknown, leading to user losses.
Several cross-domain solutions:
1. jsonp is cross-domain, and can only realize that the get request
<script>tag is not affected by the same-origin policy, and the URL is written to the url
2.
Add Access-Control-Allow-Origin to CORS (Cross -Origin Resource Sharing) server-side response header header
3. Nginx proxy cross-domain
server {
listen 8888; #自身监听8888端口
server_name first;
location / {
charset utf-8; #显示中文
add_header 'Access-Control-Allow-Origin' '*'; #允许来自所有的访问地址
add_header 'Access-Control-Allow-Credentials' 'true'; #设置为true才会发送cookie
add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS'; #支持请求方式
add_header 'Access-Control-Allow-Headers' 'Content-Type,*';
if ($request_method = 'OPTIONS') {
return 204;
}
proxy_pass http://127.0.0.1:8082; #匹配不到其他地址默认匹配的地址是访问 8080端口,本地node start启动的服务
}
}
Front-end projects commonly solve cross-domain:
proxyTable: {
'/api': {
target: 'http://127.0.0.1:1000/', // 接口的域名
changeOrigin: true, // 如果接口跨域,需要进行这个参数配置
pathRerite:{
'^/api':'/api'
}
}
}
CSRF attack
A CSRF attack can also be understood as an attacker who has stolen your identity and then sends a request on your behalf. What CSRF can do includes sending emails, sending messages, stealing your account, even purchasing goods, virtual currency transfers, and then simply the disclosure of your personal privacy information and the security of your property. Therefore, most browsers implement cross-domain request restrictions. This is a defense against CSRF attacks at the browser level. However, it should be noted that it is not enough to use browsers to defend against CSRF attacks in a complex network environment. You also need to start defense from the server or client side.
Middleware
process_request
process_view
process_response
process_exception
process_render_template
How is the csrf of the middleware implemented?
django.views.decorators.csrf import csrf_exempt,csrf_protect (middleware commented out csrf, the whole site is not used, add this method to indicate that a function needs authentication)
in process_view method: check whether it is decorated by @csrf_exempt (exempt from csrf authentication)-go to request Get token from body or cookies
FBV can be directly added @csrf_exempt @csrf_protect
django.utils.decorators.method_decorators
It is invalid to add to the corresponding method in CBV, it needs to be added to dispatch, and pass csrf_exempt as a parameter to method_decorators
方法1:
class A:
@method_decorators(csrf_exempt )
def dispatch(self,request,*args,**kwargs)
return super(.....)
方法2:
@method_decorators(csrf_exempt,name=dispatch )
class A: