2009-12-26 03:44:21 +00:00
|
|
|
==========
|
|
|
|
Middleware
|
|
|
|
==========
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
.. module:: django.middleware
|
|
|
|
:synopsis: Django's built-in middleware classes.
|
|
|
|
|
|
|
|
This document explains all middleware components that come with Django. For
|
2011-06-19 19:40:18 +00:00
|
|
|
information on how to use them and how to write your own middleware, see
|
2010-08-19 19:27:44 +00:00
|
|
|
the :doc:`middleware usage guide </topics/http/middleware>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Available middleware
|
|
|
|
====================
|
|
|
|
|
|
|
|
Cache middleware
|
|
|
|
----------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.cache
|
2009-02-15 05:46:00 +00:00
|
|
|
:synopsis: Middleware for the site-wide cache.
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: UpdateCacheMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: FetchFromCacheMiddleware
|
2008-09-01 09:42:15 +00:00
|
|
|
|
|
|
|
Enable the site-wide cache. If these are enabled, each Django-powered page will
|
2008-08-23 22:25:40 +00:00
|
|
|
be cached for as long as the :setting:`CACHE_MIDDLEWARE_SECONDS` setting
|
2010-08-19 19:27:44 +00:00
|
|
|
defines. See the :doc:`cache documentation </topics/cache>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
"Common" middleware
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.common
|
|
|
|
:synopsis: Middleware adding "common" conveniences for perfectionists.
|
2009-02-15 05:46:00 +00:00
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: CommonMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Adds a few conveniences for perfectionists:
|
|
|
|
|
2011-10-14 00:12:01 +00:00
|
|
|
* Forbids access to user agents in the :setting:`DISALLOWED_USER_AGENTS`
|
2013-07-25 10:57:49 +00:00
|
|
|
setting, which should be a list of compiled regular expression objects.
|
2011-10-14 00:12:01 +00:00
|
|
|
|
|
|
|
* Performs URL rewriting based on the :setting:`APPEND_SLASH` and
|
|
|
|
:setting:`PREPEND_WWW` settings.
|
|
|
|
|
|
|
|
If :setting:`APPEND_SLASH` is ``True`` and the initial URL doesn't end
|
|
|
|
with a slash, and it is not found in the URLconf, then a new URL is
|
|
|
|
formed by appending a slash at the end. If this new URL is found in the
|
|
|
|
URLconf, then Django redirects the request to this new URL. Otherwise,
|
|
|
|
the initial URL is processed as usual.
|
|
|
|
|
|
|
|
For example, ``foo.com/bar`` will be redirected to ``foo.com/bar/`` if
|
|
|
|
you don't have a valid URL pattern for ``foo.com/bar`` but *do* have a
|
|
|
|
valid pattern for ``foo.com/bar/``.
|
|
|
|
|
|
|
|
If :setting:`PREPEND_WWW` is ``True``, URLs that lack a leading "www."
|
|
|
|
will be redirected to the same URL with a leading "www."
|
|
|
|
|
|
|
|
Both of these options are meant to normalize URLs. The philosophy is that
|
|
|
|
each URL should exist in one, and only one, place. Technically a URL
|
|
|
|
``foo.com/bar`` is distinct from ``foo.com/bar/`` -- a search-engine
|
|
|
|
indexer would treat them as separate URLs -- so it's best practice to
|
|
|
|
normalize URLs.
|
|
|
|
|
|
|
|
* Handles ETags based on the :setting:`USE_ETAGS` setting. If
|
|
|
|
:setting:`USE_ETAGS` is set to ``True``, Django will calculate an ETag
|
|
|
|
for each request by MD5-hashing the page content, and it'll take care of
|
|
|
|
sending ``Not Modified`` responses, if appropriate.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2013-01-01 21:28:48 +00:00
|
|
|
.. class:: BrokenLinkEmailsMiddleware
|
|
|
|
|
|
|
|
* Sends broken link notification emails to :setting:`MANAGERS` (see
|
|
|
|
:doc:`/howto/error-reporting`).
|
|
|
|
|
2012-01-09 21:42:03 +00:00
|
|
|
GZip middleware
|
2008-08-23 22:25:40 +00:00
|
|
|
---------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.gzip
|
2012-01-09 21:42:03 +00:00
|
|
|
:synopsis: Middleware to serve GZipped content for performance.
|
2009-02-15 05:46:00 +00:00
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: GZipMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2013-09-11 12:17:15 +00:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
Security researchers recently revealed that when compression techniques
|
|
|
|
(including ``GZipMiddleware``) are used on a website, the site becomes
|
|
|
|
exposed to a number of possible attacks. These approaches can be used to
|
2014-03-02 15:00:30 +00:00
|
|
|
compromise, among other things, Django's CSRF protection. Before using
|
2013-09-11 12:17:15 +00:00
|
|
|
``GZipMiddleware`` on your site, you should consider very carefully whether
|
|
|
|
you are subject to these attacks. If you're in *any* doubt about whether
|
|
|
|
you're affected, you should avoid using ``GZipMiddleware``. For more
|
|
|
|
details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
|
|
|
|
|
|
|
|
.. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
|
|
|
|
.. _breachattack.com: http://breachattack.com
|
|
|
|
|
2012-01-09 21:42:03 +00:00
|
|
|
Compresses content for browsers that understand GZip compression (all modern
|
2008-08-23 22:25:40 +00:00
|
|
|
browsers).
|
|
|
|
|
2012-10-17 11:03:40 +00:00
|
|
|
This middleware should be placed before any other middleware that need to
|
|
|
|
read or write the response body so that compression happens afterward.
|
2012-01-09 21:42:03 +00:00
|
|
|
|
2012-02-03 20:45:45 +00:00
|
|
|
It will NOT compress content if any of the following are true:
|
2012-01-09 21:42:03 +00:00
|
|
|
|
2012-02-03 20:45:45 +00:00
|
|
|
* The content body is less than 200 bytes long.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2012-02-03 20:45:45 +00:00
|
|
|
* The response has already set the ``Content-Encoding`` header.
|
|
|
|
|
|
|
|
* The request (the browser) hasn't sent an ``Accept-Encoding`` header
|
|
|
|
containing ``gzip``.
|
|
|
|
|
|
|
|
* The request is from Internet Explorer and the ``Content-Type`` header
|
|
|
|
contains ``javascript`` or starts with anything other than ``text/``.
|
|
|
|
We do this to avoid a bug in early versions of IE that caused decompression
|
|
|
|
not to be performed on certain content types.
|
|
|
|
|
|
|
|
You can apply GZip compression to individual views using the
|
2013-01-01 13:12:42 +00:00
|
|
|
:func:`~django.views.decorators.gzip.gzip_page()` decorator.
|
2010-12-27 13:27:26 +00:00
|
|
|
|
2008-08-23 22:25:40 +00:00
|
|
|
Conditional GET middleware
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.http
|
|
|
|
:synopsis: Middleware handling advanced HTTP features.
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: ConditionalGetMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Handles conditional GET operations. If the response has a ``ETag`` or
|
|
|
|
``Last-Modified`` header, and the request has ``If-None-Match`` or
|
|
|
|
``If-Modified-Since``, the response is replaced by an
|
2013-01-01 13:12:42 +00:00
|
|
|
:class:`~django.http.HttpResponseNotModified`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Also sets the ``Date`` and ``Content-Length`` response-headers.
|
|
|
|
|
|
|
|
Reverse proxy middleware
|
|
|
|
------------------------
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: SetRemoteAddrFromForwardedFor
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2009-07-29 05:35:51 +00:00
|
|
|
This middleware was removed in Django 1.1. See :ref:`the release notes
|
|
|
|
<removed-setremoteaddrfromforwardedfor-middleware>` for details.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Locale middleware
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.locale
|
|
|
|
:synopsis: Middleware to enable language selection based on the request.
|
2009-02-15 05:46:00 +00:00
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: LocaleMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2009-02-15 05:46:00 +00:00
|
|
|
Enables language selection based on data from the request. It customizes
|
2010-08-19 19:27:44 +00:00
|
|
|
content for each user. See the :doc:`internationalization documentation
|
2012-07-28 17:31:41 +00:00
|
|
|
</topics/i18n/translation>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2012-11-17 12:14:12 +00:00
|
|
|
.. attribute:: LocaleMiddleware.response_redirect_class
|
|
|
|
|
|
|
|
Defaults to :class:`~django.http.HttpResponseRedirect`. Subclass
|
|
|
|
``LocaleMiddleware`` and override the attribute to customize the redirects
|
|
|
|
issued by the middleware.
|
|
|
|
|
2009-12-09 16:57:23 +00:00
|
|
|
Message middleware
|
|
|
|
------------------
|
|
|
|
|
|
|
|
.. module:: django.contrib.messages.middleware
|
|
|
|
:synopsis: Message middleware.
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: MessageMiddleware
|
2009-12-09 16:57:23 +00:00
|
|
|
|
2009-12-26 03:44:21 +00:00
|
|
|
Enables cookie- and session-based message support. See the
|
2010-08-19 19:27:44 +00:00
|
|
|
:doc:`messages documentation </ref/contrib/messages>`.
|
2009-12-09 16:57:23 +00:00
|
|
|
|
2008-08-23 22:25:40 +00:00
|
|
|
Session middleware
|
|
|
|
------------------
|
|
|
|
|
|
|
|
.. module:: django.contrib.sessions.middleware
|
|
|
|
:synopsis: Session middleware.
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: SessionMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2010-08-19 19:27:44 +00:00
|
|
|
Enables session support. See the :doc:`session documentation
|
|
|
|
</topics/http/sessions>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2013-11-18 20:16:09 +00:00
|
|
|
Site middleware
|
|
|
|
---------------
|
|
|
|
|
2014-03-21 16:24:49 +00:00
|
|
|
.. module:: django.contrib.sites.middleware
|
2013-11-18 20:16:09 +00:00
|
|
|
:synopsis: Site middleware.
|
|
|
|
|
|
|
|
.. class:: CurrentSiteMiddleware
|
|
|
|
|
|
|
|
.. versionadded:: 1.7
|
|
|
|
|
|
|
|
Adds the ``site`` attribute representing the current site to every incoming
|
|
|
|
``HttpRequest`` object. See the :ref:`sites documentation <site-middleware>`.
|
|
|
|
|
2008-08-23 22:25:40 +00:00
|
|
|
Authentication middleware
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
.. module:: django.contrib.auth.middleware
|
2009-02-15 05:46:00 +00:00
|
|
|
:synopsis: Authentication middleware.
|
|
|
|
|
2010-11-27 21:58:20 +00:00
|
|
|
.. class:: AuthenticationMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2009-02-15 05:46:00 +00:00
|
|
|
Adds the ``user`` attribute, representing the currently-logged-in user, to
|
2012-12-28 19:00:11 +00:00
|
|
|
every incoming ``HttpRequest`` object. See :ref:`Authentication in Web requests
|
|
|
|
<auth-web-requests>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2014-04-01 00:16:09 +00:00
|
|
|
.. class:: SessionAuthenticationMiddleware
|
|
|
|
|
|
|
|
.. versionadded:: 1.7
|
|
|
|
|
|
|
|
Allows a user's sessions to be invalidated when their password changes. See
|
|
|
|
:ref:`session-invalidation-on-password-change` for details. This middleware must
|
|
|
|
appear after :class:`django.contrib.auth.middleware.AuthenticationMiddleware`
|
|
|
|
in :setting:`MIDDLEWARE_CLASSES`.
|
|
|
|
|
2008-08-23 22:25:40 +00:00
|
|
|
CSRF protection middleware
|
|
|
|
--------------------------
|
|
|
|
|
2009-10-27 00:36:34 +00:00
|
|
|
.. module:: django.middleware.csrf
|
2009-02-15 05:46:00 +00:00
|
|
|
:synopsis: Middleware adding protection against Cross Site Request
|
|
|
|
Forgeries.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2011-11-12 17:37:29 +00:00
|
|
|
.. class:: CsrfViewMiddleware
|
2008-08-23 22:25:40 +00:00
|
|
|
|
|
|
|
Adds protection against Cross Site Request Forgeries by adding hidden form
|
|
|
|
fields to POST forms and checking requests for the correct value. See the
|
2010-08-19 19:27:44 +00:00
|
|
|
:doc:`Cross Site Request Forgery protection documentation </ref/contrib/csrf>`.
|
2008-08-23 22:25:40 +00:00
|
|
|
|
2011-05-30 22:27:47 +00:00
|
|
|
X-Frame-Options middleware
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
.. module:: django.middleware.clickjacking
|
|
|
|
:synopsis: Clickjacking protection
|
|
|
|
|
|
|
|
.. class:: XFrameOptionsMiddleware
|
|
|
|
|
|
|
|
Simple :doc:`clickjacking protection via the X-Frame-Options header </ref/clickjacking/>`.
|