From f77216bd1a777e219aeada964c5af134f4112111 Mon Sep 17 00:00:00 2001 From: Tomas McNamer Date: Tue, 22 Mar 2022 01:05:34 -0400 Subject: [PATCH] Refs #28592 -- Improved some headings in CSRF how-to. --- docs/howto/csrf.txt | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/howto/csrf.txt b/docs/howto/csrf.txt index eb39c94717..2e3441dfc3 100644 --- a/docs/howto/csrf.txt +++ b/docs/howto/csrf.txt @@ -33,8 +33,8 @@ To take advantage of CSRF protection in your views, follow these steps: .. _csrf-ajax: -AJAX -==== +Using CSRF protection with AJAX +=============================== While the above method can be used for AJAX POST requests, it has some inconveniences: you have to remember to pass the CSRF token in as POST data with @@ -171,8 +171,8 @@ both is fine, and will incur minimal overhead. .. _csrf-rejected-requests: -Handle rejected requests -======================== +Handling rejected requests +========================== By default, a '403 Forbidden' response is sent to the user if an incoming request fails the checks performed by ``CsrfViewMiddleware``. This should @@ -187,8 +187,8 @@ own view for handling this condition. To do this, set the CSRF failures are logged as warnings to the :ref:`django.security.csrf ` logger. -Caching -======= +Using CSRF protection with caching +================================== If the :ttag:`csrf_token` template tag is used by a template (or the ``get_token`` function is called some other way), ``CsrfViewMiddleware`` will @@ -247,8 +247,8 @@ Solution: rather than disabling the middleware and applying ``csrf_protect`` to all the views that need it, enable the middleware and use :func:`~django.views.decorators.csrf.csrf_exempt`. -Setting the token when CsrfViewMiddleware.process_view is not used ------------------------------------------------------------------- +Setting the token when ``CsrfViewMiddleware.process_view()`` is not used +------------------------------------------------------------------------ There are cases when ``CsrfViewMiddleware.process_view`` may not have run before your view is run - 404 and 500 handlers, for example - but you still @@ -299,8 +299,8 @@ with a :ttag:`csrf_token` that would cause the required CSRF cookie to be sent. Solution: use :func:`~django.views.decorators.csrf.ensure_csrf_cookie` on the view that sends the page. -Contrib and reusable apps -========================= +CSRF protection in reusable applications +======================================== Because it is possible for the developer to turn off the ``CsrfViewMiddleware``, all relevant views in contrib apps use the ``csrf_protect`` decorator to ensure