- csrf
''' 防⽌⽹站受第三⽅服务器的恶意攻击(确定表单到底是不是本⽹站的表单传递过来 的)。csrf相当于在表达中增加了⼀个隐藏的input框,⽤于向服务器提交⼀个唯⼀ 的随机字符串⽤于服务器验证表单是否是本服务器的表单。 使⽤: settings.py 表单⾥ 全站禁⽤csrf 局部禁⽤csrf''' {% comment %} ... {% endcomment %} MIDDLEWARE = [ 'django.middleware.csrf.CsrfViewMiddleware', ]<form action="" method="post"> {% csrf_token %} <input type="text" name="username"> <p><input type="submit"></p> </form> #在settings中设置 MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', #'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] #在不想检验csrf的视图函数前添加装饰器@csrf_exempt。 from django.views.decorators.csrf import csrf_exempt,csrf_protect @csrf_exempt def csrf1(request): pass
{# ajax验证csrf #} <form method="POST" action=""> {% csrf_token %} <input id="username" type="text" name="username" /> {# <input type="submit" value="提交"/>#} <a οnclick="submitForm();">Ajax提交</a> </form> <script src="https://cdn.bootcss.com/jquery/1.12.1/jquery.min.js"></script> <script> function submitForm(){ var csrf = $('input[name="csrfmiddlewaretoken"]').val(); console.log(csrf) var user = $('#user').val(); $.ajax({ url: '/hello/ajax/', type: 'POST', data: { "user":user,'csrfmiddlewaretoken': csrf}, success:function(arg){ console.log(arg); } }) } </script>
# views.py def handle_ajax(request): print(1111) if request.is_ajax(): return JsonResponse({"code":0,'msg':"登录成功"}) print(2222) return render(request,"ajax1.html")
Django——模板—跨站请求伪造 csrf
猜你喜欢
转载自blog.csdn.net/piduocheng0577/article/details/105001497
今日推荐
周排行