django配置文件通过中间件开启CSRF(Cross-site request forgery跨站请求伪造) 默认开启
参考官方文档 django官方文档
正常请求
1.需要在views结尾传递context_instance=RequestContext(request)
2.然后在模板的form标签内添加{% csrf_token %}
异步请求
第一种
1.增加装饰器from django.views.decorators.csrf import csrf_exempt
2.在views请求函数添加该装饰器 可以在请求中屏蔽到跨站检测
第二种
修改ajax的请求头信息
2.导入其中的jquery.cookie.js文件
3.保存下面代码到csrftoken.js文件 并在jquery.cookie.js下方导入
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
function sameOrigin(url) {
// test that a given url is a same-origin URL
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && sameOrigin(settings.url)) {
// Send the token to same-origin, relative URLs only.
// Send the token only if the method warrants CSRF protection
// Using the CSRFToken value acquired earlier
var csrftoken = $.cookie('csrftoken');
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
4.完成后 测试 请求不会在出现403csrf提示错误
原理:获取csrf值后 通过ajaxSetup修改所有ajax的默认请求的头信息
其他具体请参考原文档