mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Refs #28592 -- Improved some headings in CSRF how-to.
This commit is contained in:
parent
4b66a5e617
commit
f77216bd1a
@ -33,8 +33,8 @@ To take advantage of CSRF protection in your views, follow these steps:
|
||||
|
||||
.. _csrf-ajax:
|
||||
|
||||
AJAX
|
||||
====
|
||||
Using CSRF protection with AJAX
|
||||
===============================
|
||||
|
||||
While the above method can be used for AJAX POST requests, it has some
|
||||
inconveniences: you have to remember to pass the CSRF token in as POST data with
|
||||
@ -171,8 +171,8 @@ both is fine, and will incur minimal overhead.
|
||||
|
||||
.. _csrf-rejected-requests:
|
||||
|
||||
Handle rejected requests
|
||||
========================
|
||||
Handling rejected requests
|
||||
==========================
|
||||
|
||||
By default, a '403 Forbidden' response is sent to the user if an incoming
|
||||
request fails the checks performed by ``CsrfViewMiddleware``. This should
|
||||
@ -187,8 +187,8 @@ own view for handling this condition. To do this, set the
|
||||
CSRF failures are logged as warnings to the :ref:`django.security.csrf
|
||||
<django-security-logger>` logger.
|
||||
|
||||
Caching
|
||||
=======
|
||||
Using CSRF protection with caching
|
||||
==================================
|
||||
|
||||
If the :ttag:`csrf_token` template tag is used by a template (or the
|
||||
``get_token`` function is called some other way), ``CsrfViewMiddleware`` will
|
||||
@ -247,8 +247,8 @@ Solution: rather than disabling the middleware and applying ``csrf_protect`` to
|
||||
all the views that need it, enable the middleware and use
|
||||
:func:`~django.views.decorators.csrf.csrf_exempt`.
|
||||
|
||||
Setting the token when CsrfViewMiddleware.process_view is not used
|
||||
------------------------------------------------------------------
|
||||
Setting the token when ``CsrfViewMiddleware.process_view()`` is not used
|
||||
------------------------------------------------------------------------
|
||||
|
||||
There are cases when ``CsrfViewMiddleware.process_view`` may not have run
|
||||
before your view is run - 404 and 500 handlers, for example - but you still
|
||||
@ -299,8 +299,8 @@ with a :ttag:`csrf_token` that would cause the required CSRF cookie to be sent.
|
||||
Solution: use :func:`~django.views.decorators.csrf.ensure_csrf_cookie` on the
|
||||
view that sends the page.
|
||||
|
||||
Contrib and reusable apps
|
||||
=========================
|
||||
CSRF protection in reusable applications
|
||||
========================================
|
||||
|
||||
Because it is possible for the developer to turn off the ``CsrfViewMiddleware``,
|
||||
all relevant views in contrib apps use the ``csrf_protect`` decorator to ensure
|
||||
|
Loading…
Reference in New Issue
Block a user