mirrors/django
mirrors/django
0
0
Fork 0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00
Code Issues Releases Wiki Activity

Negligible spacing changes to docs/csrf.txt to be consistent

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2006-12-18 03:59:45 +00:00
parent cd394a246a
commit 8103b7dfad
1 changed files with 19 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/csrf.txt
View File

@ -1,5 +1,5 @@
===================================== =====================================
Cross Site Request Forgery Protection Cross Site Request Forgery protection
===================================== =====================================
The CsrfMiddleware class provides easy-to-use protection against The CsrfMiddleware class provides easy-to-use protection against
@ -12,11 +12,11 @@ The first defense against CSRF attacks is to ensure that GET requests
are side-effect free. POST requests can then be protected by adding this are side-effect free. POST requests can then be protected by adding this
middleware into your list of installed middleware. middleware into your list of installed middleware.
.. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
How to use it How to use it
============= =============
Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process
the response after the SessionMiddleware, so must come before it in the the response after the SessionMiddleware, so must come before it in the
@ -25,6 +25,7 @@ happen to the response, so it must come after GZipMiddleware in the list.
How it works How it works
============ ============
CsrfMiddleware does two things: CsrfMiddleware does two things:
1. It modifies outgoing requests by adding a hidden form field to all 1. It modifies outgoing requests by adding a hidden form field to all
@ -55,6 +56,7 @@ are modified.
Limitations Limitations
=========== ===========
CsrfMiddleware requires Django's session framework to work. If you have CsrfMiddleware requires Django's session framework to work. If you have
a custom authentication system that manually sets cookies and the like, a custom authentication system that manually sets cookies and the like,
it won't help you. it won't help you.
@ -65,4 +67,3 @@ you might bypass the filter that adds the hidden field to the form,
in which case form submission will always fail. It may still be possible in which case form submission will always fail. It may still be possible
to use the middleware, provided you can find some way to get the to use the middleware, provided you can find some way to get the
CSRF token and ensure that is included when your form is submitted. CSRF token and ensure that is included when your form is submitted.