玩转Django的POST请求 CSRF

玩转Django的POST请求 CSRF

不少麻油们玩django都会碰到这个问题，POST请求莫名其妙的返回 403 foribidden，希望这篇博文能解答所有问题

三种方法

To enable CSRF protection for your views, follow these steps:

1. Add the middleware`django.middleware.csrf.CsrfViewMiddleware` to your list ofmiddleware classes in `setting.py`, MIDDLEWARE_CLASSES. (It should comebefore any view middleware that assume that CSRF attacks havebeen dealt with.)

Alternatively, you can use the decorator `@csrf_protect` on particular viewsyou want to protect (see below).

我尝试了@csrf_exempt也可以呢
8过@csrf_exempt的作用是对当前view方法关闭CSRF

2. In any template that uses a POST form, use the csrf_token tag insidethe <form> element if the form is for an internal URL, e.g.:

`<form action="." method="post">{% csrf_token %}`
This should not be done for POST forms that target external URLs, sincethat would cause the CSRF token to be leaked, leading to a vulnerability.

3. In the corresponding view functions, ensure that the`django.core.context_processors.csrf` context processor isbeing used. Usually, this can be done in one of two ways:

Use RequestContext, which always uses`django.core.context_processors.csrf` (no matter what yourTEMPLATE_CONTEXT_PROCESSORS setting). If you are usinggeneric views or contrib apps, you are covered already, since theseapps use RequestContext throughout.

Manually import and use the processor to generate the CSRF token andadd it to the template context. e.g.:

from django.core.context_processors import csrf
from django.shortcuts import render_to_response

def my_view(request):
    c = {}
    c.update(csrf(request))
    # ... view code here
    return render_to_response("a_template.html", c)
You may want to write your ownrender_to_response() wrapper that takes careof this step for you.

The utility script extras/csrf_migration_helper.py can help to automate thefinding of code and templates that may need these steps. It contains full helpon how to use it.

说白了就是需要这些东东

提交的时候得有个csrfmiddlewaretoken

<input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">

ajax提交的时候就需要手动添加了：
django在加载form的时候会生成token，同时加到了cookie中

        var param = $.param($('#addipModal :input:not(button)'));
        $.ajax({
            url: "{% url 'attendence:ip_add'%}",
            method: "post",
            data: param + "&csrfmiddlewaretoken=" + $.cookie('csrftoken'),
            success: function(data) {
                $("#cancelip").click();
                alert(data);
                window.location.reload();
            }
        });

附官方文档地址：https://docs.djangoproject.com/en/dev/ref/contrib/csrf/