开发者

Having a POST'able API and Django's CSRF Middleware

开发者 https://www.devze.com 2022-12-22 02:56 出处:网络
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client.However, now with the new CSRF middleware component, API requests from the de

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.

I understand why this is happening, but what is the proper way to fix this without compromising securi开发者_如何学Goty? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?

Edit--

The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.


How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?


If you are using a Class Based View then you will need to csrf_exempt the dispatch method rather than the post method like this:

@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
    return super(MyView, self).dispatch(request, *args, **kwargs)

See this bug ticket: https://code.djangoproject.com/ticket/15794


Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.

0

精彩评论

暂无评论...
验证码 换一张
取 消