Cross-site request forgery, also known as a one-click attack or session riding and
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user that the website trusts.Unlike cross-
site scripting (XSS), which exploits the trust a user has for a particular site, CSRF
exploits the trust that a site has in a user's browser.
使用秘密cookie
^{pr2}$
只接受POST请求Applications can be developed to only accept POST requests for the execution of business
logic. The misconception is that since the attacker cannot construct a malicious link,
a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are
numerous methods in which an attacker can trick a victim into submitting a forged POST
request, such as a simple form hosted in attacker's website with hidden values. This
form can be triggered automatically by JavaScript or can be triggered by the victim who
thinks form will do something else.
Django每次请求服务器时都会设置csrftoken cookie,当您将数据从客户端发布到服务器时,此令牌与该令牌匹配,如果不匹配,则抛出错误,这是恶意请求。在
如果可以使用csrf_exempt decorator来禁用特定视图的csrf保护。在from django.views.decorators.csrf import csrf_exempt
然后在你的视图前面写@csrf_exempt