Changeset 4224 for django/trunk/docs/csrf.txt
- Timestamp:
- 12/17/06 21:59:45 (2 years ago)
- Files:
-
- django/trunk/docs/csrf.txt (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/docs/csrf.txt
r2980 r4224 1 1 ===================================== 2 Cross Site Request Forgery Protection2 Cross Site Request Forgery protection 3 3 ===================================== 4 4 5 The CsrfMiddleware class provides easy-to-use protection against 6 `Cross Site Request Forgeries`_. This type of attack occurs when a malicious 5 The CsrfMiddleware class provides easy-to-use protection against 6 `Cross Site Request Forgeries`_. This type of attack occurs when a malicious 7 7 web site creates a link or form button that is intended to perform some action 8 8 on your web site, using the credentials of a logged-in user who is tricked … … 13 13 middleware into your list of installed middleware. 14 14 15 16 15 .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF 17 16 18 17 How to use it 19 18 ============= 20 Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to 19 20 Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to 21 21 your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process 22 22 the response after the SessionMiddleware, so must come before it in the … … 26 26 How it works 27 27 ============ 28 28 29 CsrfMiddleware does two things: 29 30 30 1. It modifies outgoing requests by adding a hidden form field to all 31 'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is 32 a hash of the session ID plus a secret. If there is no session ID set, 33 this modification of the response isn't done, so there is very little 31 1. It modifies outgoing requests by adding a hidden form field to all 32 'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is 33 a hash of the session ID plus a secret. If there is no session ID set, 34 this modification of the response isn't done, so there is very little 34 35 performance penalty for those requests that don't have a session. 35 36 36 2. On all incoming POST requests that have the session cookie set, it 37 checks that the 'csrfmiddlewaretoken' is present and correct. If it 37 2. On all incoming POST requests that have the session cookie set, it 38 checks that the 'csrfmiddlewaretoken' is present and correct. If it 38 39 isn't, the user will get a 403 error. 39 40 … … 44 45 POST forms). GET requests ought never to have side effects (if you are 45 46 using HTTP GET and POST correctly), and so a CSRF attack with a GET 46 request will always be harmless. 47 request will always be harmless. 47 48 48 49 POST requests that are not accompanied by a session cookie are not protected, … … 50 51 could make these kind of requests anyway. 51 52 52 The Content-Type is checked before modifying the response, and only 53 The Content-Type is checked before modifying the response, and only 53 54 pages that are served as 'text/html' or 'application/xml+xhtml' 54 55 are modified. … … 56 57 Limitations 57 58 =========== 59 58 60 CsrfMiddleware requires Django's session framework to work. If you have 59 61 a custom authentication system that manually sets cookies and the like, 60 62 it won't help you. 61 63 62 If your app creates HTML pages and forms in some unusual way, (e.g. 63 it sends fragments of HTML in javascript document.write statements) 64 you might bypass the filter that adds the hidden field to the form, 64 If your app creates HTML pages and forms in some unusual way, (e.g. 65 it sends fragments of HTML in javascript document.write statements) 66 you might bypass the filter that adds the hidden field to the form, 65 67 in which case form submission will always fail. It may still be possible 66 68 to use the middleware, provided you can find some way to get the 67 69 CSRF token and ensure that is included when your form is submitted. 68
