玩轉Django的POST請求 CSRF

不少麻油們玩django都會碰到這個問題，POST請求莫名其妙的返回 403 foribidden，希望這篇博文能解答所有問題

三種方法

To enable CSRF protection for your views, follow these steps:

1. Add the middleware`django.middleware.csrf.CsrfViewMiddleware` to your list ofmiddleware classes in `setting.py`, MIDDLEWARE_CLASSES. (It should comebefore any view middleware that assume that CSRF attacks havebeen dealt with.)

Alternatively, you can use the decorator `@csrf_protect` on particular viewsyou want to protect (see below).

我嘗試了@csrf_exempt也可以呢
8過@csrf_exempt的作用是對當前view方法關閉CSRF

2. In any template that uses a POST form, use the csrf_token tag insidethe <form> element if the form is for an internal URL, e.g.:

`<form action="." method="post">{% csrf_token %}`
This should not be done for POST forms that target external URLs, sincethat would cause the CSRF token to be leaked, leading to a vulnerability.

3. In the corresponding view functions, ensure that the`django.core.context_processors.csrf` context processor isbeing used. Usually, this can be done in one of two ways:

Use RequestContext, which always uses`django.core.context_processors.csrf` (no matter what yourTEMPLATE_CONTEXT_PROCESSORS setting). If you are usinggeneric views or contrib apps, you are covered already, since theseapps use RequestContext throughout.

Manually import and use the processor to generate the CSRF token andadd it to the template context. e.g.:

from django.core.context_processors import csrf
from django.shortcuts import render_to_response

def my_view(request):
    c = {}
    c.update(csrf(request))
    # ... view code here
    return render_to_response("a_template.html", c)
You may want to write your ownrender_to_response() wrapper that takes careof this step for you.

The utility script extras/csrf_migration_helper.py can help to automate thefinding of code and templates that may need these steps. It contains full helpon how to use it.

說白了就是需要這些東東

提交的時候得有個csrfmiddlewaretoken

<input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">

ajax提交的時候就需要手動添加了：
django在加載form的時候會生成token，同時加到了cookie中

        var param = $.param($('#addipModal :input:not(button)'));
        $.ajax({
            url: "{% url 'attendence:ip_add'%}",
            method: "post",
            data: param + "&csrfmiddlewaretoken=" + $.cookie('csrftoken'),
            success: function(data) {
                $("#cancelip").click();
                alert(data);
                window.location.reload();
            }
        });

附官方文檔地址：https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 vue 發送 post 請求到 django 返回403： CSRF Failed: CSRF token missing or incorrect django-Ajax發送POST請求（csrf跨站請求的三種方式），文件的上傳 Django用ajax發送post請求時csrf攔截的解決方案 Django中ajax發送post請求，報403錯誤CSRF驗證失敗解決辦法 Django的POST請求時因為開啟防止csrf，報403錯誤，及四種解決方法 vue-element-admin 模板登錄頁面 post請求通過django的csrf認證，處理304錯誤 Django的POST請求時因為開啟防止csrf，報403錯誤，及四種解決方法 Django接受POST請求 django 接收 post請求 django post請求