Hi,
I'm fairly new to web development and Django, and I'm trying to make sure
my application is protected against CSRF attacks. I've read through
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/, but I'm not
confident I'm understanding it fully. I'd be very grateful for some
feedback on what I'm doing.
I started by enabling CsrfViewMiddleware. Then I looked at my POST forms:
1) I have POST forms that go to internal URLs in templates, both in my own
application and in the registration library I'm using. All of them use the
csrf_token tag, so I think I'm set there.
2) I do POSTs to internal URLs from my client-side javascript. Some POSTs
are already baked into this code, but one gets built on the fly.
My first question comes from the beginning of the doc, where it says,"The
first defense against CSRF attacks is to ensure that GET requests are
side-effect free." What's meant by "side effect free"?
I also have a question about this line: "In the corresponding view
functions, ensure that the 'django.core.context_processors.csrf' context
processor is being used." I'm interpreting this to mean: "in the view
functions that are used to render your templates that do POSTs, ensure that
the csrf context processor is being used." That is, I don't need to worry
about the context processor in views that are just handling POSTs that
originate via AJAX from my client side. Am I understanding this correctly?
I have one view that handles a webhook/POST that originates from outside my
site and comes from a non-logged-in-user. I have decorated this view with a
csrf_exempt decorator and don't return the CSRF token in my response. So I
think I am covered there -- correct?
For the POSTs that originate from my client-side javascript code, I use the
code given in the doc to get the token from csrf cookie and attach it to
outgoing AJAX calls to internal URLs for HTTP/HTTPS methods that require
it. But there is one POST form I build on the fly. Since the page that runs
that code is generated by a template and the CSRF token is included in the
context, I included this code:
<script type="text/javascript">
var getCSRFToken = function () { return "{% csrf_token %}"; };
</script>
and call the function when I'm building my form. Is that the right way to
handle this?
Thanks in advance for any advice or critiques you can give me.
Spork
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
