Django Resolves Cross-Station Requests to Forge CSRF s - Chapter 16

1. Basic Applications

Django validates clients'request to submit data (POST) by generating random strings. The basic principle is that clients send GET requests to the service side first, the service side writes the random strings to the page of requests, and the client submits data with this random string before the service side can process the request.SCRF is on in the default middleware configuration:

settings.py:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',	# CSRF
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

views.py:

def csrf(request):
    if request.method == 'GET':
        return render(request, 'csrf.html')
    else:
        return HttpResponse('ok')

{% csrf_in Django The token%} is a random string generated by the server, and if it is not added to the page, it will not be brought with it when requested:

csrf.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<form action="" method="post">
    <input type="text">
    <input type="submit">
</form>
</body>
</html>

403 Forbidden errors when submitting data:

If {% csrf_is added to the pageToken%}, this random string is displayed on the page returned by the server after the client sends a GET request.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<form action="" method="post">
    <input type="text">
    <input type="hidden" name="csrfmiddlewaretoken" value="a7brzXos3mDRZlmdWyJcKs72MJ4WtvXaZfa8xWUJq7E3dvNhFrWk3gesKdup3TR2">
    <input type="submit">
</form>
</body>
</html>

Clients submit submission data directly with this random string, and there is no longer a problem with package request rejection.

{{csrf_token}} displays this random string directly on the page, and {% csrf_It is different that token%} generates an input tag.

2. Disable All Sites

If the whole station does not want to use CSRF authentication, the CSRF in processing can be globally disabled, just comment out the CSRF filtering in the middleware section of the configuration file.

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    # 'django.middleware.csrf.CsrfViewMiddleware',	
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

If so, the client will not process the CSRF when submitting a data request.

3. Partially disabled

If you do not want to do CSRF validation when requesting data is submitted on certain pages, this timeDjango.middleware.csrfThe.CsrfViewMiddleware is (globally) open, so you can disable the validation of CSRF that sends data requests to this page individually by using an ornament, simply by adding csrf_to the view functionExempt decorator:

views.py:

from django.views.decorators.csrf import csrf_exempt


@csrf_exempt
def csrf(request):
    if request.method == 'GET':
        return render(request, 'csrf.html')
    else:
        return HttpResponse('ok')
4. Local use

If disabled globally, use CSRF authentication locally.Requires a ``decorator'to be added to the view function to indicate that requests to submit data in the template corresponding to this view function must be CSRF validated:

views.py:

from django.views.decorators.csrf import csrf_protect


@csrf_protect
def csrf(request):
    if request.method == 'GET':
        return render(request, 'csrf.html')
    else:
        return HttpResponse('ok')

If {% csrf_is not added to the templateThe token%} request was also rejected:

Tags: Django

Posted on Sun, 14 Jun 2020 20:52:46 -0400 by Basdub