How to use it¶
To take advantage of CSRF protection in your views, follow these steps:
-
The CSRF middleware is activated by default in the
MIDDLEWAREsetting. If you override that setting, remember that'django.middleware.csrf.CsrfViewMiddleware'should come before any view middleware that assume that CSRF attacks have been dealt with.If you disabled it, which is not recommended, you can use
csrf_protect()on particular views you want to protect (see below). -
In any template that uses a POST form, use the
csrf_tokentag inside the<form>element if the form is for an internal URL, e.g.:<form action="" method="post">{% csrf_token %}
This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.
-
In the corresponding view functions, ensure that
RequestContextis used to render the response so that{%csrf_token %}will work properly. If you’re using therender()function, generic views, or contrib apps, you are covered already since these all useRequestContext.
扫一扫
2640
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
