Python之路67-防CSRF跨站請求偽造
阿新 • • 發佈:2017-05-26
python
目錄
一、簡介
二、應用
三、官方示例
一、簡介
django為用戶實現防止跨站請求偽造的功能,通過中間件django.middleware.csrf.CsrfViewMiddleware來完成。而對於django中設置防跨站請求偽造功能有分為全局和局部。
全局:
中間件 django.middleware.csrf.CsrfViewMiddleware
局部:
@csrf_protect,為當前函數強制設置防跨站請求偽造功能,即便settings中沒有設置全局中間件。
@csrf_exempt,取消當前函數防跨站請求偽造功能,即便settings中設置了全局中間件。
註:from django.views.decorators.csrf import csrf_exempt,csrf_protect
二、應用
1.form表單
<form action="/login/" method="POST"> {% csrf_token %} <input type="text" name="user"/> <input type="password" name="pwd"/> <input type="checkbox" name="rmb" value="1"> 10秒免登錄 <input type="submit" name="提交"/> </form>
2.Ajax
給某個ajax單獨添加
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form action="/login/" method="POST"> {% csrf_token %} <input type="text" name="user"/> <input type="password" name="pwd"/> <input type="checkbox" name="rmb" value="1"> 10秒免登錄 <input type="submit" name="提交"/> <input id="btn1" type="button" value="按鈕"/> <input id="btn2" type="button" value="按鈕"/> </form> <script src="/static/jquery-1.12.4.js"></script> <script src="/static/jquery.cookie.js"></script> <script> $(function () { $("#btn1").click(function () { $.ajax({ url: "/login/", type: "POST", data: {"user": "root", "pwd": "123"}, headers: {"X-CSRFtoken": $.cookie("csrftoken")}, success: function (arg) { } }); }); }); </script> </body> </html>
給所有ajax添加
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form action="/login/" method="POST"> {% csrf_token %} <input type="text" name="user"/> <input type="password" name="pwd"/> <input type="checkbox" name="rmb" value="1"> 10秒免登錄 <input type="submit" name="提交"/> <input id="btn1" type="button" value="按鈕"/> <input id="btn2" type="button" value="按鈕"/> </form> <script src="/static/jquery-1.12.4.js"></script> <script src="/static/jquery.cookie.js"></script> <script> $(function () { {# XMLHttpRequest#} $.ajaxSetup({ beforeSend: function (xhr, settings) { xhr.setRequestHeader("X-CSRFtoken", $.cookie("csrftoken")); } }); $("#btn1").click(function () { $.ajax({ url: "/login/", type: "POST", data: {"user": "root", "pwd": "123"}, {# headers: {"X-CSRFtoken": $.cookie("csrftoken")},#} success: function (arg) { } }); }); $("#btn2").click(function () { $.ajax({ url: "/login/", type: "POST", data: {"user": "root", "pwd": "123"}, {# headers: {"X-CSRFtoken": $.cookie("csrftoken")},#} success: function (arg) { } }); }); }); </script> </body> </html>
三、官方示例
test.html
<!DOCTYPE html> <html> <head lang="en"> <meta charset="UTF-8"> <title></title> </head> <body> {% csrf_token %} <input type="button" onclick="Do();" value="Do it"/> <script src="/static/plugin/jquery/jquery-1.8.0.js"></script> <script src="/static/plugin/jquery/jquery.cookie.js"></script> <script type="text/javascript"> var csrftoken = $.cookie(‘csrftoken‘); function csrfSafeMethod(method) { // these HTTP methods do not require CSRF protection return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method)); } $.ajaxSetup({ beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type) && !this.crossDomain) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } }); function Do(){ $.ajax({ url:"/app01/test/", data:{id:1}, type:‘POST‘, success:function(data){ console.log(data); } }); } </script> </body> </html>
本文出自 “八英裏” 博客,請務必保留此出處http://5921271.blog.51cto.com/5911271/1929944
Python之路67-防CSRF跨站請求偽造