首页 > 代码库 > CSRF-跨域访问保护
CSRF-跨域访问保护
CSRF跨域访问保护
当我们打开此功能时,在提交时就会报错,此时解决方法有
1.浏览器支持cookie
2.有render方法
3.在提交的表单中加入{% csrf_token%},为了生成随机值。
现在我们就以第三种为例,就可以解决此类问题了
1 {% extends "index.html" %} 2 3 {% block extra-head-resources %} 4 5 <script src=http://www.mamicode.com/"/static/plugins/ckeditor/ckeditor.js"></script> 6 {% endblock %} 7 8 {% block container %} 9 10 <div style="min-height: 600px;padding-bottom: 50px"> 11 12 <form method="post" enctype="multipart/form-data"> {% csrf_token %} 13 14 {% for field in form %} 15 <div class="form-group"> 16 <label class="col-sm-2 control-label">{{ field.name }}</label> 17 <div class="col-sm-10"> 18 {{ field }} 19 <span style="color: red">{{ field.errors }}</span> 20 </div> 21 </div> 22 23 {% endfor %} 24 <input type="submit" class="col-lg-offset-5 btn btn-sm btn-success" value=http://www.mamicode.com/"提交"> 25 </form> 26 </div> 27 28 29 <script> 30 // Replace the <textarea id="editor1"> with a CKEditor 31 // instance, using default configuration. 32 CKEDITOR.replace( ‘id_body‘ ); 33 </script> 34 35 36 {% endblock %}
为了防止CSRF攻击,分辨来源,将随机值放在页面中,而不是放在POST请求中,这样就不会被恶意使用。
Middleware中间件
为了能使用户对django的request/response请求处理过程及请求数据包进行全局的更改,比如对所有的请求进行是否已登录的验证,是否有注入或其他攻击行为的检测等,django提供了一个轻量级、底层的钩子插件,就叫中间件。
MIDDLEWARE = [
‘django.middleware.security.SecurityMiddleware‘, 进行一些请求的安全验证,xss攻击过滤,ssl重定向(自动重定向到https)
‘django.contrib.sessions.middleware.SessionMiddleware‘, 启用对session的支持
‘django.middleware.common.CommonMiddleware‘, 做一些常用的小功能,检测url,会自动把foo.com/bar,重定向程foo.com/bar/
‘django.middleware.csrf.CsrfViewMiddleware‘, 跨域请求保护
‘django.contrib.auth.middleware.AuthenticationMiddleware‘, 认证
‘django.contrib.messages.middleware.MessageMiddleware‘, 启用django自带的消息日志插件
‘django.middleware.clickjacking.XFrameOptionsMiddleware‘, 点击劫持
]
自定义中间件
要在settings中,将自己创建的申明
1 MIDDLEWARE = [ 2 ‘django.middleware.security.SecurityMiddleware‘, 3 ‘django.contrib.sessions.middleware.SessionMiddleware‘, 4 ‘django.middleware.common.CommonMiddleware‘, 5 ‘django.middleware.csrf.CsrfViewMiddleware‘, 6 ‘django.contrib.auth.middleware.AuthenticationMiddleware‘, 7 ‘django.contrib.messages.middleware.MessageMiddleware‘, 8 ‘django.middleware.clickjacking.XFrameOptionsMiddleware‘, 9 ‘bbs.test_middleware.SimpleMiddleware‘ 10 ]
1 from django.shortcuts import render,HttpResponse,redirect 2 class SimpleMiddleware(object): 3 def __init__(self, get_response): 4 self.get_response = get_response 5 # One-time configuration and initialization. 6 7 8 def __call__(self, request): 9 # Code to be executed for each request before 10 # the view (and later middleware) are called. 11 12 response = self.get_response(request) 13 print("middleware",response) 14 15 # Code to be executed for each request/response after 16 # the view is called. 17 18 return response 19 def process_view(self,request,view_func,view_args,view_kwargs): 20 print(‘process view‘,self,request,view_func,view_args,view_kwargs) 21 def process_exception(self,request,exception): 22 print(‘process excetion‘,request,exception) 23 return HttpResponse(‘error happend....%s‘ % exception) 24 25 def process_template_reponse(self,request,response): 26 print(‘process_template_reponse‘,request,response)
CSRF-跨域访问保护