2006-05-08 23:03:08 +00:00
|
|
|
=====================================
|
2006-12-18 03:59:45 +00:00
|
|
|
Cross Site Request Forgery protection
|
2006-05-08 23:03:08 +00:00
|
|
|
=====================================
|
|
|
|
|
2009-10-27 00:36:34 +00:00
|
|
|
.. module:: django.middleware.csrf
|
2008-08-23 22:25:40 +00:00
|
|
|
:synopsis: Protects against Cross Site Request Forgeries
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
The CSRF middleware and template tag provides easy-to-use protection against
|
2009-03-23 23:02:46 +00:00
|
|
|
`Cross Site Request Forgeries`_. This type of attack occurs when a malicious
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
Web site contains a link, a form button or some javascript that is intended to
|
|
|
|
perform some action on your Web site, using the credentials of a logged-in user
|
|
|
|
who visits the malicious site in their browser. A related type of attack,
|
|
|
|
'login CSRF', where an attacking site tricks a user's browser into logging into
|
|
|
|
a site with someone else's credentials, is also covered.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
The first defense against CSRF attacks is to ensure that GET requests are
|
|
|
|
side-effect free. POST requests can then be protected by following the steps
|
|
|
|
below.
|
|
|
|
|
2008-08-23 22:25:40 +00:00
|
|
|
.. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
|
2006-05-08 23:03:08 +00:00
|
|
|
|
|
|
|
How to use it
|
|
|
|
=============
|
2006-12-18 03:59:45 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
To enable CSRF protection for your views, follow these steps:
|
|
|
|
|
|
|
|
1. Add the middleware
|
2009-10-27 00:36:34 +00:00
|
|
|
``'django.middleware.csrf.CsrfViewMiddleware'`` to your list of
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
middleware classes, :setting:`MIDDLEWARE_CLASSES`. (It should come
|
2011-03-30 17:34:26 +00:00
|
|
|
and before any view middleware that assume that CSRF attacks have
|
|
|
|
been dealt with.)
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
|
|
|
Alternatively, you can use the decorator
|
2009-10-27 00:36:34 +00:00
|
|
|
``django.views.decorators.csrf.csrf_protect`` on particular views you
|
2009-11-03 14:40:37 +00:00
|
|
|
want to protect (see below).
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
2009-11-23 13:44:24 +00:00
|
|
|
2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
the ``<form>`` element if the form is for an internal URL, e.g.::
|
|
|
|
|
2011-03-30 17:34:26 +00:00
|
|
|
<form action="." method="post">{% csrf_token %}
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
|
|
|
This should not be done for POST forms that target external URLs, since
|
|
|
|
that would cause the CSRF token to be leaked, leading to a vulnerability.
|
|
|
|
|
|
|
|
3. In the corresponding view functions, ensure that the
|
2009-10-27 00:36:34 +00:00
|
|
|
``'django.core.context_processors.csrf'`` context processor is
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
being used. Usually, this can be done in one of two ways:
|
|
|
|
|
|
|
|
1. Use RequestContext, which always uses
|
2009-10-27 00:36:34 +00:00
|
|
|
``'django.core.context_processors.csrf'`` (no matter what your
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
TEMPLATE_CONTEXT_PROCESSORS setting). If you are using
|
|
|
|
generic views or contrib apps, you are covered already, since these
|
|
|
|
apps use RequestContext throughout.
|
|
|
|
|
|
|
|
2. Manually import and use the processor to generate the CSRF token and
|
|
|
|
add it to the template context. e.g.::
|
|
|
|
|
2009-10-27 00:36:34 +00:00
|
|
|
from django.core.context_processors import csrf
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
from django.shortcuts import render_to_response
|
|
|
|
|
|
|
|
def my_view(request):
|
|
|
|
c = {}
|
|
|
|
c.update(csrf(request))
|
|
|
|
# ... view code here
|
|
|
|
return render_to_response("a_template.html", c)
|
|
|
|
|
|
|
|
You may want to write your own ``render_to_response`` wrapper that
|
|
|
|
takes care of this step for you.
|
|
|
|
|
|
|
|
The utility script ``extras/csrf_migration_helper.py`` can help to automate the
|
2011-03-30 17:34:26 +00:00
|
|
|
finding of code and templates that may need these steps. It contains full help
|
|
|
|
on how to use it.
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
2011-02-22 11:27:58 +00:00
|
|
|
.. _csrf-ajax:
|
|
|
|
|
2011-02-09 02:06:27 +00:00
|
|
|
AJAX
|
|
|
|
----
|
|
|
|
|
|
|
|
While the above method can be used for AJAX POST requests, it has some
|
|
|
|
inconveniences: you have to remember to pass the CSRF token in as POST data with
|
|
|
|
every POST request. For this reason, there is an alternative method: on each
|
|
|
|
XMLHttpRequest, set a custom `X-CSRFToken` header to the value of the CSRF
|
|
|
|
token. This is often easier, because many javascript frameworks provide hooks
|
|
|
|
that allow headers to be set on every request. In jQuery, you can use the
|
2011-02-12 23:37:35 +00:00
|
|
|
``ajaxSend`` event as follows:
|
2011-02-09 02:06:27 +00:00
|
|
|
|
|
|
|
.. code-block:: javascript
|
|
|
|
|
2011-02-12 23:37:35 +00:00
|
|
|
$('html').ajaxSend(function(event, xhr, settings) {
|
|
|
|
function getCookie(name) {
|
|
|
|
var cookieValue = null;
|
|
|
|
if (document.cookie && document.cookie != '') {
|
|
|
|
var cookies = document.cookie.split(';');
|
|
|
|
for (var i = 0; i < cookies.length; i++) {
|
|
|
|
var cookie = jQuery.trim(cookies[i]);
|
|
|
|
// Does this cookie string begin with the name we want?
|
|
|
|
if (cookie.substring(0, name.length + 1) == (name + '=')) {
|
|
|
|
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
|
|
|
|
break;
|
2011-02-09 02:06:27 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2011-02-12 23:37:35 +00:00
|
|
|
return cookieValue;
|
|
|
|
}
|
|
|
|
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
|
|
|
|
// Only send the token to relative URLs i.e. locally.
|
|
|
|
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
|
2011-02-09 02:06:27 +00:00
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
Adding this to a javascript file that is included on your site will ensure that
|
|
|
|
AJAX POST requests that are made via jQuery will not be caught by the CSRF
|
|
|
|
protection.
|
|
|
|
|
2009-11-03 14:40:37 +00:00
|
|
|
The decorator method
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
Rather than adding ``CsrfViewMiddleware`` as a blanket protection, you can use
|
|
|
|
the ``csrf_protect`` decorator, which has exactly the same functionality, on
|
|
|
|
particular views that need the protection. It must be used **both** on views
|
|
|
|
that insert the CSRF token in the output, and on those that accept the POST form
|
|
|
|
data. (These are often the same view function, but not always). It is used like
|
|
|
|
this::
|
|
|
|
|
|
|
|
from django.views.decorators.csrf import csrf_protect
|
|
|
|
from django.template import RequestContext
|
|
|
|
|
|
|
|
@csrf_protect
|
|
|
|
def my_view(request):
|
|
|
|
c = {}
|
|
|
|
# ...
|
|
|
|
return render_to_response("a_template.html", c,
|
|
|
|
context_instance=RequestContext(request))
|
|
|
|
|
|
|
|
Use of the decorator is **not recommended** by itself, since if you forget to
|
|
|
|
use it, you will have a security hole. The 'belt and braces' strategy of using
|
|
|
|
both is fine, and will incur minimal overhead.
|
|
|
|
|
2008-12-03 00:34:18 +00:00
|
|
|
Exceptions
|
|
|
|
----------
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
To manually exclude a view function from being handled by either of the two CSRF
|
|
|
|
middleware, you can use the ``csrf_exempt`` decorator, found in the
|
2009-10-27 00:36:34 +00:00
|
|
|
``django.views.decorators.csrf`` module. For example::
|
2008-12-03 00:34:18 +00:00
|
|
|
|
2009-10-27 00:36:34 +00:00
|
|
|
from django.views.decorators.csrf import csrf_exempt
|
2008-12-08 04:15:19 +00:00
|
|
|
|
2009-10-27 00:43:16 +00:00
|
|
|
@csrf_exempt
|
2008-12-08 04:15:19 +00:00
|
|
|
def my_view(request):
|
|
|
|
return HttpResponse('Hello world')
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
Subdomains
|
|
|
|
----------
|
|
|
|
|
|
|
|
By default, CSRF cookies are specific to the subdomain they are set for. This
|
|
|
|
means that a form served from one subdomain (e.g. server1.example.com) will not
|
|
|
|
be able to have a target on another subdomain (e.g. server2.example.com). This
|
|
|
|
restriction can be removed by setting :setting:`CSRF_COOKIE_DOMAIN` to be
|
|
|
|
something like ``".example.com"``.
|
|
|
|
|
|
|
|
Please note that, with or without use of this setting, this CSRF protection
|
|
|
|
mechanism is not safe against cross-subdomain attacks -- see `Limitations`_.
|
|
|
|
|
|
|
|
Rejected requests
|
|
|
|
=================
|
|
|
|
|
|
|
|
By default, a '403 Forbidden' response is sent to the user if an incoming
|
|
|
|
request fails the checks performed by ``CsrfViewMiddleware``. This should
|
|
|
|
usually only be seen when there is a genuine Cross Site Request Forgery, or
|
|
|
|
when, due to a programming error, the CSRF token has not been included with a
|
|
|
|
POST form.
|
2009-02-07 17:47:02 +00:00
|
|
|
|
2011-04-20 11:39:10 +00:00
|
|
|
The error page, however, is not very friendly, so you may want to provide your
|
|
|
|
own view for handling this condition. To do this, simply set the
|
|
|
|
:setting:`CSRF_FAILURE_VIEW` setting to a dotted path to your own view function,
|
|
|
|
which should have the following signature::
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
|
|
|
def csrf_failure(request, reason="")
|
|
|
|
|
|
|
|
where ``reason`` is a short message (intended for developers or logging, not for
|
|
|
|
end users) indicating the reason the request was rejected.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
|
|
|
How it works
|
|
|
|
============
|
2006-12-18 03:59:45 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
The CSRF protection is based on the following things:
|
|
|
|
|
|
|
|
1. A CSRF cookie that is set to a random value (a session independent nonce, as
|
|
|
|
it is called), which other sites will not have access to.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
This cookie is set by ``CsrfViewMiddleware``. It is meant to be permanent,
|
|
|
|
but since there is no way to set a cookie that never expires, it is sent with
|
2009-10-27 00:36:34 +00:00
|
|
|
every response that has called ``django.middleware.csrf.get_token()``
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
(the function used internally to retrieve the CSRF token).
|
2006-05-08 23:03:08 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
2. A hidden form field with the name 'csrfmiddlewaretoken' present in all
|
|
|
|
outgoing POST forms. The value of this field is the value of the CSRF
|
|
|
|
cookie.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
2011-03-30 17:34:26 +00:00
|
|
|
This part is done by the template tag.
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
|
|
|
3. For all incoming POST requests, a CSRF cookie must be present, and the
|
|
|
|
'csrfmiddlewaretoken' field must be present and correct. If it isn't, the
|
|
|
|
user will get a 403 error.
|
|
|
|
|
|
|
|
This check is done by ``CsrfViewMiddleware``.
|
|
|
|
|
|
|
|
4. In addition, for HTTPS requests, strict referer checking is done by
|
|
|
|
``CsrfViewMiddleware``. This is necessary to address a Man-In-The-Middle
|
|
|
|
attack that is possible under HTTPS when using a session independent nonce,
|
|
|
|
due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted
|
|
|
|
by clients that are talking to a site under HTTPS. (Referer checking is not
|
|
|
|
done for HTTP requests because the presence of the Referer header is not
|
|
|
|
reliable enough under HTTP.)
|
|
|
|
|
|
|
|
This ensures that only forms that have originated from your Web site can be used
|
|
|
|
to POST data back.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
2007-08-16 14:09:41 +00:00
|
|
|
It deliberately only targets HTTP POST requests (and the corresponding POST
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
forms). GET requests ought never to have any potentially dangerous side effects
|
|
|
|
(see `9.1.1 Safe Methods, HTTP 1.1, RFC 2616`_), and so a CSRF attack with a GET
|
|
|
|
request ought to be harmless.
|
2006-05-08 23:03:08 +00:00
|
|
|
|
2007-08-16 14:09:41 +00:00
|
|
|
.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
|
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
Caching
|
|
|
|
=======
|
|
|
|
|
2011-03-30 17:34:26 +00:00
|
|
|
If the :ttag:`csrf_token` template tag is used by a template (or the
|
|
|
|
``get_token`` function is called some other way), ``CsrfViewMiddleware`` will
|
|
|
|
add a cookie and a ``Vary: Cookie`` header to the response. This means that the
|
|
|
|
middleware will play well with the cache middleware if it is used as instructed
|
|
|
|
(``UpdateCacheMiddleware`` goes before all other middleware).
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
|
|
|
|
However, if you use cache decorators on individual views, the CSRF middleware
|
|
|
|
will not yet have been able to set the Vary header. In this case, on any views
|
|
|
|
that will require a CSRF token to be inserted you should use the
|
|
|
|
:func:`django.views.decorators.vary.vary_on_cookie` decorator first::
|
|
|
|
|
|
|
|
from django.views.decorators.cache import cache_page
|
|
|
|
from django.views.decorators.vary import vary_on_cookie
|
|
|
|
|
|
|
|
@cache_page(60 * 15)
|
|
|
|
@vary_on_cookie
|
|
|
|
def my_view(request):
|
|
|
|
# ...
|
|
|
|
|
|
|
|
|
|
|
|
Testing
|
|
|
|
=======
|
|
|
|
|
|
|
|
The ``CsrfViewMiddleware`` will usually be a big hindrance to testing view
|
|
|
|
functions, due to the need for the CSRF token which must be sent with every POST
|
|
|
|
request. For this reason, Django's HTTP client for tests has been modified to
|
|
|
|
set a flag on requests which relaxes the middleware and the ``csrf_protect``
|
|
|
|
decorator so that they no longer rejects requests. In every other respect
|
|
|
|
(e.g. sending cookies etc.), they behave the same.
|
|
|
|
|
2010-08-27 13:54:13 +00:00
|
|
|
If, for some reason, you *want* the test client to perform CSRF
|
|
|
|
checks, you can create an instance of the test client that enforces
|
|
|
|
CSRF checks::
|
|
|
|
|
|
|
|
>>> from django.test import Client
|
|
|
|
>>> csrf_client = Client(enforce_csrf_checks=True)
|
|
|
|
|
2006-05-08 23:03:08 +00:00
|
|
|
Limitations
|
|
|
|
===========
|
2006-12-18 03:59:45 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
Subdomains within a site will be able to set cookies on the client for the whole
|
|
|
|
domain. By setting the cookie and using a corresponding token, subdomains will
|
|
|
|
be able to circumvent the CSRF protection. The only way to avoid this is to
|
|
|
|
ensure that subdomains are controlled by trusted users (or, are at least unable
|
|
|
|
to set cookies). Note that even without CSRF, there are other vulnerabilities,
|
|
|
|
such as session fixation, that make giving subdomains to untrusted parties a bad
|
|
|
|
idea, and these vulnerabilities cannot easily be fixed with current browsers.
|
|
|
|
|
|
|
|
Contrib and reusable apps
|
|
|
|
=========================
|
2006-05-08 23:03:08 +00:00
|
|
|
|
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
|
|
|
Because it is possible for the developer to turn off the ``CsrfViewMiddleware``,
|
|
|
|
all relevant views in contrib apps use the ``csrf_protect`` decorator to ensure
|
|
|
|
the security of these applications against CSRF. It is recommended that the
|
|
|
|
developers of other reusable apps that want the same guarantees also use the
|
|
|
|
``csrf_protect`` decorator on their views.
|