有一个POST'able API和Django的CSRF中间件 [英] Having a POST'able API and Django's CSRF Middleware

问题描述

我必须同时具有前端，网络访问的组成部分，是由一个桌面客户端访问的API Django的web应用程序。但是，现在随着新CSRF中间件组件，从桌面客户端API请求是POST'ed得到403

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.

我明白为什么会这样，但什么是解决这一问题不会影响安全性的正确方法？有什么方法，我可以在HTTP标头，它的API请求和Django的不应该检查CSRF或者是一个糟糕的战略？

I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?

的 修改 - 的

Edit--

我目前使用的方法是，桌面客户端设置一个头，X-要求 - 由于：XMLHtt prequest。这是有点哈克，但我不知道如何做到这一点处理得更好。

The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.

推荐答案

如何只分裂了一个视图（S）为您的桌面客户端和的 csrf_exempt ？

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

这篇关于有一个POST'able API和Django的CSRF中间件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！