Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added CSRF middleware to default settings and updated docs.

Updated docs to reflect the change, and the fact that using the
two separate middleware is preferred to using the combined one.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@10094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 2d287247308ea5e40214f4564b91b633959902a9 1 parent 729c974
Luke Plant authored March 19, 2009
4  django/conf/global_settings.py
@@ -301,10 +301,12 @@
301 301
 # this middleware classes will be applied in the order given, and in the
302 302
 # response phase the middleware will be applied in reverse order.
303 303
 MIDDLEWARE_CLASSES = (
  304
+#     'django.middleware.gzip.GZipMiddleware',
  305
+    'django.contrib.csrf.middleware.CsrfViewMiddleware',
  306
+    'django.contrib.csrf.middleware.CsrfResponseMiddleware',
304 307
     'django.contrib.sessions.middleware.SessionMiddleware',
305 308
     'django.contrib.auth.middleware.AuthenticationMiddleware',
306 309
 #     'django.middleware.http.ConditionalGetMiddleware',
307  
-#     'django.middleware.gzip.GZipMiddleware',
308 310
     'django.middleware.common.CommonMiddleware',
309 311
 )
310 312
 
2  django/conf/project_template/settings.py
@@ -59,6 +59,8 @@
59 59
 
60 60
 MIDDLEWARE_CLASSES = (
61 61
     'django.middleware.common.CommonMiddleware',
  62
+    'django.contrib.csrf.middleware.CsrfViewMiddleware',
  63
+    'django.contrib.csrf.middleware.CsrfResponseMiddleware',
62 64
     'django.contrib.sessions.middleware.SessionMiddleware',
63 65
     'django.contrib.auth.middleware.AuthenticationMiddleware',
64 66
 )
67  docs/ref/contrib/csrf.txt
@@ -7,46 +7,47 @@ Cross Site Request Forgery protection
7 7
 .. module:: django.contrib.csrf
8 8
    :synopsis: Protects against Cross Site Request Forgeries
9 9
 
10  
-The CsrfMiddleware class provides easy-to-use protection against
11  
-`Cross Site Request Forgeries`_.  This type of attack occurs when a malicious
12  
-Web site creates a link or form button that is intended to perform some action
13  
-on your Web site, using the credentials of a logged-in user who is tricked
14  
-into clicking on the link in their browser.
  10
+The CsrfMiddleware classes provides easy-to-use protection against
  11
+`Cross Site Request Forgeries`_.  This type of attack occurs when a
  12
+malicious Web site creates a link or form button that is intended to
  13
+perform some action on your Web site, using the credentials of a
  14
+logged-in user who is tricked into clicking on the link in their
  15
+browser.
15 16
 
16 17
 The first defense against CSRF attacks is to ensure that GET requests
17  
-are side-effect free.  POST requests can then be protected by adding this
18  
-middleware into your list of installed middleware.
  18
+are side-effect free.  POST requests can then be protected by adding
  19
+these middleware into your list of installed middleware.
19 20
 
20 21
 .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF
21 22
 
22 23
 How to use it
23 24
 =============
24 25
 
25  
-Add the middleware ``'django.contrib.csrf.middleware.CsrfMiddleware'`` to
26  
-your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. It needs to process
27  
-the response after the SessionMiddleware, so must come before it in the
28  
-list. It also must process the response before things like compression
29  
-happen to the response, so it must come after GZipMiddleware in the
30  
-list.
  26
+Add the middleware
  27
+``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` and
  28
+``'django.contrib.csrf.middleware.CsrfResponseMiddleware'`` to your
  29
+list of middleware classes,
  30
+:setting:`MIDDLEWARE_CLASSES`. ``CsrfResponseMiddleware`` needs to
  31
+process the response after the ``SessionMiddleware``, so must come
  32
+before it in the list.  It also must process the response before
  33
+things like compression happen to the response, so it must come after
  34
+``GZipMiddleware`` in the list.
31 35
 
32  
-The ``CsrfMiddleware`` class is actually composed of two middleware:
33  
-``CsrfViewMiddleware`` which performs the checks on incoming requests,
34  
-and ``CsrfResponseMiddleware`` which performs post-processing of the
35  
-result.  This allows the individual components to be used and/or
36  
-replaced instead of using ``CsrfMiddleware``.
  36
+The ``CsrfMiddleware`` class, which combines the two classes, is also
  37
+available, for backwards compatibility with Django 1.0.
37 38
 
38 39
 .. versionchanged:: 1.1
39  
-    (previous versions of Django did not provide these two components
40  
-    of ``CsrfMiddleware`` as described above)
  40
+    previous versions of Django did not provide these two components
  41
+    of ``CsrfMiddleware`` as described above.
41 42
 
42 43
 Exceptions
43 44
 ----------
44 45
 
45 46
 .. versionadded:: 1.1
46 47
 
47  
-To manually exclude a view function from being handled by the
48  
-CsrfMiddleware, you can use the ``csrf_exempt`` decorator, found in
49  
-the ``django.contrib.csrf.middleware`` module. For example::
  48
+To manually exclude a view function from being handled by either of
  49
+the two CSRF middleware, you can use the ``csrf_exempt`` decorator,
  50
+found in the ``django.contrib.csrf.middleware`` module. For example::
50 51
 
51 52
     from django.contrib.csrf.middleware import csrf_exempt
52 53
 
@@ -54,12 +55,12 @@ the ``django.contrib.csrf.middleware`` module. For example::
54 55
         return HttpResponse('Hello world')
55 56
     my_view = csrf_exempt(my_view)
56 57
 
57  
-Like the middleware itself, the ``csrf_exempt`` decorator is composed
58  
-of two parts: a ``csrf_view_exempt`` decorator and a
59  
-``csrf_response_exempt`` decorator, found in the same module.  These
60  
-disable the view protection mechanism (``CsrfViewMiddleware``) and the
61  
-response post-processing (``CsrfResponseMiddleware``) respectively.
62  
-They can be used individually if required.
  58
+Like the middleware, the ``csrf_exempt`` decorator is composed of two
  59
+parts: a ``csrf_view_exempt`` decorator and a ``csrf_response_exempt``
  60
+decorator, found in the same module.  These disable the view
  61
+protection mechanism (``CsrfViewMiddleware``) and the response
  62
+post-processing (``CsrfResponseMiddleware``) respectively.  They can
  63
+be used individually if required.
63 64
 
64 65
 You don't have to worry about doing this for most AJAX views. Any
65 66
 request sent with "X-Requested-With: XMLHttpRequest" is automatically
@@ -68,7 +69,7 @@ exempt. (See the next section.)
68 69
 How it works
69 70
 ============
70 71
 
71  
-CsrfMiddleware does two things:
  72
+The CSRF middleware do two things:
72 73
 
73 74
 1. It modifies outgoing requests by adding a hidden form field to all
74 75
    'POST' forms, with the name 'csrfmiddlewaretoken' and a value which is
@@ -112,9 +113,9 @@ don't trust content within the same domain or subdomains.)
112 113
 Limitations
113 114
 ===========
114 115
 
115  
-CsrfMiddleware requires Django's session framework to work. If you have
116  
-a custom authentication system that manually sets cookies and the like,
117  
-it won't help you.
  116
+These middleware require Django's session framework to work. If you
  117
+have a custom authentication system that manually sets cookies and the
  118
+like, it won't help you.
118 119
 
119 120
 If your app creates HTML pages and forms in some unusual way, (e.g.
120 121
 it sends fragments of HTML in JavaScript document.write statements)
8  docs/releases/1.1-alpha-1.txt
@@ -74,7 +74,13 @@ Other new features and changes introduced since Django 1.0 include:
74 74
   ``CsrfMiddleware`` class (which does both) remains for
75 75
   backwards-compatibility, but using the split classes is now recommended in
76 76
   order to allow fine-grained control of when and where the CSRF processing
77  
-  takes place.
  77
+  takes place.  Decorators are provided for selectively turning it off for
  78
+  certain views.
  79
+
  80
+  Also, these middleware are now enabled by default when creating new projects.
  81
+  It is recommended to add these middleware, if not already present, to existing
  82
+  projects, to provide protection for the admin (which has no other CSRF
  83
+  protection) and other apps.
78 84
 
79 85
 * :func:`~django.core.urlresolvers.reverse` and code which uses it (e.g., the
80 86
   ``{% url %}`` template tag) now works with URLs in Django's administrative

0 notes on commit 2d28724

Please sign in to comment.
Something went wrong with that request. Please try again.