Python之路67-防CSRF跨站請求偽造
阿新 • • 發佈:2017-05-26
python
目錄
一、簡介
二、應用
三、官方示例
一、簡介
django為用戶實現防止跨站請求偽造的功能,通過中間件django.middleware.csrf.CsrfViewMiddleware來完成。而對於django中設置防跨站請求偽造功能有分為全局和局部。
全局:
中間件 django.middleware.csrf.CsrfViewMiddleware
局部:
@csrf_protect,為當前函數強制設置防跨站請求偽造功能,即便settings中沒有設置全局中間件。
@csrf_exempt,取消當前函數防跨站請求偽造功能,即便settings中設置了全局中間件。
註:from django.views.decorators.csrf import csrf_exempt,csrf_protect
二、應用
1.form表單
<form action="/login/" method="POST">
{% csrf_token %}
<input type="text" name="user"/>
<input type="password" name="pwd"/>
<input type="checkbox" name="rmb" value="1"> 10秒免登錄
<input type="submit" name="提交"/>
</form>2.Ajax
給某個ajax單獨添加
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/login/" method="POST">
{% csrf_token %}
<input type="text" name="user"/>
<input type="password" name="pwd"/>
<input type="checkbox" name="rmb" value="1"> 10秒免登錄
<input type="submit" name="提交"/>
<input id="btn1" type="button" value="按鈕"/>
<input id="btn2" type="button" value="按鈕"/>
</form>
<script src="/static/jquery-1.12.4.js"></script>
<script src="/static/jquery.cookie.js"></script>
<script>
$(function () {
$("#btn1").click(function () {
$.ajax({
url: "/login/",
type: "POST",
data: {"user": "root", "pwd": "123"},
headers: {"X-CSRFtoken": $.cookie("csrftoken")},
success: function (arg) {
}
});
});
});
</script>
</body>
</html>給所有ajax添加
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/login/" method="POST">
{% csrf_token %}
<input type="text" name="user"/>
<input type="password" name="pwd"/>
<input type="checkbox" name="rmb" value="1"> 10秒免登錄
<input type="submit" name="提交"/>
<input id="btn1" type="button" value="按鈕"/>
<input id="btn2" type="button" value="按鈕"/>
</form>
<script src="/static/jquery-1.12.4.js"></script>
<script src="/static/jquery.cookie.js"></script>
<script>
$(function () {
{# XMLHttpRequest#}
$.ajaxSetup({
beforeSend: function (xhr, settings) {
xhr.setRequestHeader("X-CSRFtoken", $.cookie("csrftoken"));
}
});
$("#btn1").click(function () {
$.ajax({
url: "/login/",
type: "POST",
data: {"user": "root", "pwd": "123"},
{# headers: {"X-CSRFtoken": $.cookie("csrftoken")},#}
success: function (arg) {
}
});
});
$("#btn2").click(function () {
$.ajax({
url: "/login/",
type: "POST",
data: {"user": "root", "pwd": "123"},
{# headers: {"X-CSRFtoken": $.cookie("csrftoken")},#}
success: function (arg) {
}
});
});
});
</script>
</body>
</html>三、官方示例
test.html
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
{% csrf_token %}
<input type="button" onclick="Do();" value="Do it"/>
<script src="/static/plugin/jquery/jquery-1.8.0.js"></script>
<script src="/static/plugin/jquery/jquery.cookie.js"></script>
<script type="text/javascript">
var csrftoken = $.cookie(‘csrftoken‘);
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
function Do(){
$.ajax({
url:"/app01/test/",
data:{id:1},
type:‘POST‘,
success:function(data){
console.log(data);
}
});
}
</script>
</body>
</html>本文出自 “八英裏” 博客,請務必保留此出處http://5921271.blog.51cto.com/5911271/1929944
Python之路67-防CSRF跨站請求偽造