CSRF-跨域訪問保護

CSRF跨域訪問保護

當咱們打開此功能時，在提交時就會報錯，此時解決方法有

1.瀏覽器支持cookie

2.有render方法

3.在提交的表單中加入{% csrf_token%}，爲了生成隨機值。

如今咱們就以第三種爲例,就能夠解決此類問題了

 1 {% extends "index.html" %}
 2 
 3 {% block extra-head-resources %}
 4 
 5      <script src="/static/plugins/ckeditor/ckeditor.js"></script>
 6 {% endblock %}
 7 
 8 {% block container %}
 9 
10 <div style="min-height: 600px;padding-bottom: 50px">
11 
12     <form method="post" enctype="multipart/form-data"> {% csrf_token %}
13 
14         {% for field in form %}
15             <div class="form-group">
16                 <label  class="col-sm-2 control-label">{{ field.name }}</label>
17                 <div class="col-sm-10">
18                   {{ field }}
19                   <span style="color: red">{{ field.errors }}</span>
20                 </div>
21             </div>
22 
23         {% endfor %}
24         <input type="submit" class="col-lg-offset-5 btn btn-sm btn-success" value="提交">
25     </form>
26 </div>
27 
28 
29 <script>
30     // Replace the <textarea id="editor1"> with a CKEditor
31     // instance, using default configuration.
32     CKEDITOR.replace( 'id_body' );
33 </script>
34 
35 
36 {% endblock %}

new_article.html

 爲了防止CSRF攻擊，分辨來源，將隨機值放在頁面中，而不是放在POST請求中，這樣就不會被惡意使用。

 

Middleware中間件

爲了能使用戶對django的request/response請求處理過程及請求數據包進行全局的更改，好比對全部的請求進行是否已登陸的驗證，是否有注入或其餘攻擊行爲的檢測等，django提供了一個輕量級、底層的鉤子插件，就叫中間件。

MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',     進行一些請求的安全驗證，xss攻擊過濾，ssl重定向（自動重定向到https）
'django.contrib.sessions.middleware.SessionMiddleware',     啓用對session的支持
'django.middleware.common.CommonMiddleware',             作一些經常使用的小功能，檢測url，會自動把foo.com/bar，重定向程foo.com/bar/
'django.middleware.csrf.CsrfViewMiddleware',                     跨域請求保護
'django.contrib.auth.middleware.AuthenticationMiddleware',    認證
'django.contrib.messages.middleware.MessageMiddleware',      啓用django自帶的消息日誌插件
'django.middleware.clickjacking.XFrameOptionsMiddleware',    點擊劫持
]

 

自定義中間件

要在settings中，將本身建立的申明

 1 MIDDLEWARE = [
 2     'django.middleware.security.SecurityMiddleware',
 3     'django.contrib.sessions.middleware.SessionMiddleware',
 4     'django.middleware.common.CommonMiddleware',
 5     'django.middleware.csrf.CsrfViewMiddleware',
 6     'django.contrib.auth.middleware.AuthenticationMiddleware',
 7     'django.contrib.messages.middleware.MessageMiddleware',
 8     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 9     'bbs.test_middleware.SimpleMiddleware'
10 ]

settings

 

 1 from django.shortcuts import render,HttpResponse,redirect
 2 class SimpleMiddleware(object):
 3     def __init__(self, get_response):
 4         self.get_response = get_response
 5         # One-time configuration and initialization.
 6 
 7 
 8     def __call__(self, request):
 9         # Code to be executed for each request before
10         # the view (and later middleware) are called.
11 
12         response = self.get_response(request)
13         print("middleware",response)
14 
15         # Code to be executed for each request/response after
16         # the view is called.
17 
18         return response
19     def process_view(self,request,view_func,view_args,view_kwargs):
20         print('process view',self,request,view_func,view_args,view_kwargs)
21     def process_exception(self,request,exception):
22         print('process excetion',request,exception)
23         return HttpResponse('error happend....%s' % exception)
24 
25     def process_template_reponse(self,request,response):
26         print('process_template_reponse',request,response)

View Code