Django study notes 4-csrf protection

Others 2022-04-27 12:45:32 views: 0

1.CSRF verification failed. The request was interrupted.

The reason is django's protection against cross-site attacks when the user submits the form

What is CSRF 

CSRF, Cross Site Request Forgery, Cross Site Request Forgery. For example, if a malicious website has a link to yours, if

A user has logged in to your website, then when the user clicks the link on the malicious website, a request will be sent to your website,

Your website will think that the request is sent by the user himself, but in fact, the request is forged by the malicious website. A malicious website mimics your login page,

The user is fooled, fills in the login information, clicks the submit button, and the malicious website logs in to your web page instead of the user, so that the user information can be modified, or the value in the cooking can be obtained.

CSRF protection mechanism provided by Django

When django responds to a request from a client for the first time, it will randomly generate a token on the server side and put this token in a cookie. Then every POST request will bring this token,

This avoids CSRF attacks.

  • In the returned HTTP response cookie, django will add a csrftoken field for you, the value of which is an automatically generated token
  • In all POST forms, a csrfmiddlewaretoken field must be included (just add a tag to the template, django will automatically generate it for you, see below)
  • Before processing a POST request, django will verify that the value of the csrftoken field in the request's cookie is the same as the value of the csrfmiddlewaretoken field in the submitted form. If it is the same, it indicates that this is a legitimate request, otherwise, this request may come from someone else's csrf attack, returning 403 Forbidden.
  • In all ajax POST requests, add an X-CSRFTOKEN header whose value is the value of the csrftoken in the cookie

How to use CSRF protection in Django

  • First of all, the most basic principle is: GET requests should not have side effects. This means that any code that handles a GET request must have "read-only" access to the resource.
  • To enable django.middleware.csrf.CsrfViewMiddleware this middleware
  • Again, add a {% csrf_token %} tag to all POST form elements
  • When rendering modules, use RequestContext. RequestContext will process the csrf_token tag, thus automatically adding an input named csrfmiddlewaretoken to the form

E.g:

1.{% csrf_token %}

django.template import RequestContext

return render(req,'df_user/login.html',context_instance=RequestContext(req))。

2. Comment out the django project settings.py     #'django.middleware.csrf.CsrfViewMiddlewar

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325623302&siteId=291194637
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com