p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #28592 -- Improved some headings in CSRF how-to.

This commit is contained in:
Tomas McNamer 2022-03-22 01:05:34 -04:00 committed by GitHub
parent 4b66a5e617
commit f77216bd1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/howto/csrf.txt
View File

@ -33,8 +33,8 @@ To take advantage of CSRF protection in your views, follow these steps:
.. _csrf-ajax:
AJAX
====
Using CSRF protection with AJAX
===============================
While the above method can be used for AJAX POST requests, it has some
inconveniences: you have to remember to pass the CSRF token in as POST data with
@ -171,8 +171,8 @@ both is fine, and will incur minimal overhead.
.. _csrf-rejected-requests:
Handle rejected requests
========================
Handling rejected requests
==========================
By default, a '403 Forbidden' response is sent to the user if an incoming
request fails the checks performed by ``CsrfViewMiddleware``. This should
@ -187,8 +187,8 @@ own view for handling this condition. To do this, set the
CSRF failures are logged as warnings to the :ref:`django.security.csrf
<django-security-logger>` logger.
Caching
=======
Using CSRF protection with caching
==================================
If the :ttag:`csrf_token` template tag is used by a template (or the
``get_token`` function is called some other way), ``CsrfViewMiddleware`` will
@ -247,8 +247,8 @@ Solution: rather than disabling the middleware and applying ``csrf_protect`` to
all the views that need it, enable the middleware and use
:func:`~django.views.decorators.csrf.csrf_exempt`.
Setting the token when CsrfViewMiddleware.process_view is not used
------------------------------------------------------------------
Setting the token when ``CsrfViewMiddleware.process_view()`` is not used
------------------------------------------------------------------------
There are cases when ``CsrfViewMiddleware.process_view`` may not have run
before your view is run - 404 and 500 handlers, for example - but you still
@ -299,8 +299,8 @@ with a :ttag:`csrf_token` that would cause the required CSRF cookie to be sent.
Solution: use :func:`~django.views.decorators.csrf.ensure_csrf_cookie` on the
view that sends the page.
Contrib and reusable apps
=========================
CSRF protection in reusable applications
========================================
Because it is possible for the developer to turn off the ``CsrfViewMiddleware``,
all relevant views in contrib apps use the ``csrf_protect`` decorator to ensure