Negligible spacing changes to docs/csrf.txt to be consistent
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
cd394a246a
commit
8103b7dfad
|
@ -1,5 +1,5 @@
|
||||||
=====================================
|
=====================================
|
||||||
Cross Site Request Forgery Protection
|
Cross Site Request Forgery protection
|
||||||
=====================================
|
=====================================
|
||||||
|
|
||||||
The CsrfMiddleware class provides easy-to-use protection against
|
The CsrfMiddleware class provides easy-to-use protection against
|
||||||
|
@ -12,11 +12,11 @@ The first defense against CSRF attacks is to ensure that GET requests
|
||||||
are side-effect free. POST requests can then be protected by adding this
|
are side-effect free. POST requests can then be protected by adding this
|
||||||
middleware into your list of installed middleware.
|
middleware into your list of installed middleware.
|
||||||
|
|
||||||
|
|
||||||
.. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
|
.. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
|
||||||
|
|
||||||
How to use it
|
How to use it
|
||||||
=============
|
=============
|
||||||
|
|
||||||
Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
|
Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
|
||||||
your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process
|
your list of middleware classes, ``MIDDLEWARE_CLASSES``. It needs to process
|
||||||
the response after the SessionMiddleware, so must come before it in the
|
the response after the SessionMiddleware, so must come before it in the
|
||||||
|
@ -25,6 +25,7 @@ happen to the response, so it must come after GZipMiddleware in the list.
|
||||||
|
|
||||||
How it works
|
How it works
|
||||||
============
|
============
|
||||||
|
|
||||||
CsrfMiddleware does two things:
|
CsrfMiddleware does two things:
|
||||||
|
|
||||||
1. It modifies outgoing requests by adding a hidden form field to all
|
1. It modifies outgoing requests by adding a hidden form field to all
|
||||||
|
@ -55,6 +56,7 @@ are modified.
|
||||||
|
|
||||||
Limitations
|
Limitations
|
||||||
===========
|
===========
|
||||||
|
|
||||||
CsrfMiddleware requires Django's session framework to work. If you have
|
CsrfMiddleware requires Django's session framework to work. If you have
|
||||||
a custom authentication system that manually sets cookies and the like,
|
a custom authentication system that manually sets cookies and the like,
|
||||||
it won't help you.
|
it won't help you.
|
||||||
|
@ -65,4 +67,3 @@ you might bypass the filter that adds the hidden field to the form,
|
||||||
in which case form submission will always fail. It may still be possible
|
in which case form submission will always fail. It may still be possible
|
||||||
to use the middleware, provided you can find some way to get the
|
to use the middleware, provided you can find some way to get the
|
||||||
CSRF token and ensure that is included when your form is submitted.
|
CSRF token and ensure that is included when your form is submitted.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue