CSRF跨域访问保护
当我们打开此功能时,在提交时就会报错,此时解决方法有
1.浏览器支持cookie
2.有render方法
3.在提交的表单中加入{% csrf_token%},为了生成随机值。
现在我们就以第三种为例,就可以解决此类问题了
1 {% extends "index.html" %}2
3 {% block extra-head-resources %}4
5
6 {% endblock %}7
8 {% block container %}9
10
11
12
{% csrf_token %}1314 {% for field in form %}15
16 {{ field.name }}
17
18 {{ field }}19 {{ field.errors }}
20
21
22
23 {% endfor %}24
25
26
27
28
29
30 // Replace the with a CKEditor31 //instance, using default configuration.32 CKEDITOR.replace( 'id_body');33
34
35
36 {% endblock %}
new_article.html
为了防止CSRF攻击,分辨来源,将随机值放在页面中,而不是放在POST请求中,这样就不会被恶意使用。
Middleware中间件
为了能使用户对django的request/response请求处理过程及请求数据包进行全局的更改,比如对所有的请求进行是否已登录的验证,是否有注入或其他攻击行为的检测等,django提供了一个轻量级、底层的钩子插件,就叫中间件。
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware', 进行一些请求的安全验证,xss攻击过滤,ssl重定向(自动重定向到https)
'django.contrib.sessions.middleware.SessionMiddleware', 启用对session的支持
'django.middleware.common.CommonMiddleware', 做一些常用的小功能,检测url,会自动把foo.com/bar,重定向程foo.com/bar/
'django.middleware.csrf.CsrfViewMiddleware', 跨域请求保护
'django.contrib.auth.middleware.AuthenticationMiddleware', 认证
'django.contrib.messages.middleware.MessageMiddleware', 启用django自带的消息日志插件
'django.middleware.clickjacking.XFrameOptionsMiddleware', 点击劫持
]
自定义中间件
要在settings中,将自己创建的申明
1 MIDDLEWARE =[2 'django.middleware.security.SecurityMiddleware',3 'django.contrib.sessions.middleware.SessionMiddleware',4 'django.middleware.common.CommonMiddleware',5 'django.middleware.csrf.CsrfViewMiddleware',6 'django.contrib.auth.middleware.AuthenticationMiddleware',7 'django.contrib.messages.middleware.MessageMiddleware',8 'django.middleware.clickjacking.XFrameOptionsMiddleware',9 'bbs.test_middleware.SimpleMiddleware'
10 ]
settings
1 from django.shortcuts importrender,HttpResponse,redirect2 classSimpleMiddleware(object):3 def __init__(self, get_response):4 self.get_response =get_response5 #One-time configuration and initialization.
6
7
8 def __call__(self, request):9 #Code to be executed for each request before
10 #the view (and later middleware) are called.
11
12 response =self.get_response(request)13 print("middleware",response)14
15 #Code to be executed for each request/response after
16 #the view is called.
17
18 returnresponse19 defprocess_view(self,request,view_func,view_args,view_kwargs):20 print('process view',self,request,view_func,view_args,view_kwargs)21 defprocess_exception(self,request,exception):22 print('process excetion',request,exception)23 return HttpResponse('error happend....%s' %exception)24
25 defprocess_template_reponse(self,request,response):26 print('process_template_reponse',request,response)
View Code