在 Django 表单中使用 GET
Using GET in a Django Form
我有一个关于 Django Forms 和 GET 的问题
我有一个表格可以下载 CSV 格式的学生成绩。这些字段是名称和年份,所以我有一个 forms.py
StudentDownloadForm(forms.Form):
name=forms.CharField()
year = forms.CharField()
我想在 template.html 和
中使用此表格
context={'student_form' : StudentDownloadForm(),}
<form action ="" method="GET">
{% csrf_token %}{{ student_form|crispy }}
<input type="submit" value="Query"/>
</form>
所以我的问题如下:
- 如果我使用
method="GET"
,那么 csrf 令牌在 URL 中可见,这是一个安全问题
- 我可以改用
method="POST"
吗?
- 或者,我可以删除表单中的 csrf 令牌吗?
根据 Django 文档 (Cross Site Request Forgery protection):
For all incoming requests that are not using HTTP GET, HEAD, OPTIONS
or TRACE, a CSRF cookie must be present, and the ‘csrfmiddlewaretoken’
field must be present and correct. If it isn’t, the user will get a
403 error.
并且:
It deliberately ignores GET requests (and other requests that are
defined as ‘safe’ by RFC 2616). These requests ought never to have any
potentially dangerous side effects , and so a CSRF attack with a GET
request ought to be harmless. RFC 2616 defines POST, PUT and DELETE as
‘unsafe’, and all other methods are assumed to be unsafe, for maximum
protection.
因此,您可以省略 GET 请求的 CSRF 令牌
我有一个关于 Django Forms 和 GET 的问题
我有一个表格可以下载 CSV 格式的学生成绩。这些字段是名称和年份,所以我有一个 forms.py
StudentDownloadForm(forms.Form):
name=forms.CharField()
year = forms.CharField()
我想在 template.html 和
中使用此表格context={'student_form' : StudentDownloadForm(),}
<form action ="" method="GET">
{% csrf_token %}{{ student_form|crispy }}
<input type="submit" value="Query"/>
</form>
所以我的问题如下:
- 如果我使用
method="GET"
,那么 csrf 令牌在 URL 中可见,这是一个安全问题 - 我可以改用
method="POST"
吗? - 或者,我可以删除表单中的 csrf 令牌吗?
根据 Django 文档 (Cross Site Request Forgery protection):
For all incoming requests that are not using HTTP GET, HEAD, OPTIONS or TRACE, a CSRF cookie must be present, and the ‘csrfmiddlewaretoken’ field must be present and correct. If it isn’t, the user will get a 403 error.
并且:
It deliberately ignores GET requests (and other requests that are defined as ‘safe’ by RFC 2616). These requests ought never to have any potentially dangerous side effects , and so a CSRF attack with a GET request ought to be harmless. RFC 2616 defines POST, PUT and DELETE as ‘unsafe’, and all other methods are assumed to be unsafe, for maximum protection.
因此,您可以省略 GET 请求的 CSRF 令牌