1.CSRF defined
- Camouflage requests from trusted users access to trusted sites, (the attacker stole your identity, to your name send malicious request)
- Produce condition
1、用户要登录受信任的网站,并在本地生成cookie
2、在不退出安全网站的情况下,访问危险网站
(1)验证 HTTP Referer 字段;查看请求来源的地址
(2)在请求地址中添加 token 并验证;
(3)在 HTTP 头中自定义属性并验证
(4)在表单中添加from.csrf_token
2. Cross-domain issues
- Front-end processing Jsonp
- The background is simple, non-simple request for pre-screening (options)
- response['Access-Control-Allow-Methods'] 指定cent_type,token
from django.middleware.security import MiddlewareMixin
class MyMiddle(MiddlewareMixin ):
def process_response(self,request,response):
if request .method=='OPTIONS':
response['Access-Control-Allow-Methods'] = '*'
response['Access-Control-Allow-Headers'] = '*'
response['Access-Control-Allow-Origin'] = '*'
return response
# 在settings里配置
# 'app01.utils.myMiddle.MyMiddle'