拥有可发布的API和Django的CSRF中间件 [英] Having a POST'able API and Django's CSRF Middleware

问题描述

我有一个Django webapp，它具有前端，可访问Web的组件和桌面客户端访问的API。然而，现在使用新的CSRF中间件组件，来自桌面客户端的POST请求的API请求将获得403。

我明白为什么会发生这种情况，但是什么是在不危及安全性的情况下解决这个问题的正确方法？有没有什么可以在HTTP标头中发信号，这是一个API请求，Django不应该检查CSRF或者是不好的策略？

我目前使用的方法是桌面客户端设置一个头，X请求 - 使用：XMLHttpRequest。这是一个黑客，但我不知道如何处理得更好。

解决方案

（s）为您的桌面客户端和装饰他们与 csrf_exempt ？

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.

I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?

Edit--

The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.

解决方案

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

这篇关于拥有可发布的API和Django的CSRF中间件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！