django.middleware.csrf

module documentation

Cross Site Request Forgery Middleware.

This module provides a middleware that implements protection against request forgeries from other sites.

Class	`CsrfViewMiddleware`	Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie.
Constant	`CSRF_ALLOWED_CHARS`	Undocumented
Constant	`CSRF_SECRET_LENGTH`	Undocumented
Constant	`CSRF_SESSION_KEY`	Undocumented
Constant	`CSRF_TOKEN_LENGTH`	Undocumented
Constant	`REASON_BAD_ORIGIN`	Undocumented
Constant	`REASON_BAD_REFERER`	Undocumented
Constant	`REASON_CSRF_TOKEN_MISSING`	Undocumented
Constant	`REASON_INCORRECT_LENGTH`	Undocumented
Constant	`REASON_INSECURE_REFERER`	Undocumented
Constant	`REASON_INVALID_CHARACTERS`	Undocumented
Constant	`REASON_MALFORMED_REFERER`	Undocumented
Constant	`REASON_NO_CSRF_COOKIE`	Undocumented
Constant	`REASON_NO_REFERER`	Undocumented
Variable	`invalid_token_chars_re`	Undocumented
Variable	`logger`	Undocumented
Class	`InvalidTokenFormat`	Undocumented
Class	`RejectRequest`	Undocumented
Function	`_add_new_csrf_cookie`	Generate a new random CSRF_COOKIE value, and add it to request.META.
Function	`_does_token_match`	Undocumented
Function	`_get_failure_view`	Return the view to be used for CSRF rejections.
Function	`_get_new_csrf_string`	Undocumented
Function	`_mask_cipher_secret`	Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret.
Function	`_sanitize_token`	Undocumented
Function	`_unmask_cipher_token`	Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret.
Function	`get_token`	Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set.
Function	`rotate_token`	Change the CSRF token in use for a request - should be done on login for security purposes.

CSRF_ALLOWED_CHARS =

Undocumented

Value

string.ascii_letters+string.digits

CSRF_SECRET_LENGTH: int =

Undocumented

Value

CSRF_SESSION_KEY: str =

Undocumented

Value

'_csrftoken'

CSRF_TOKEN_LENGTH =

Undocumented

Value

2*CSRF_SECRET_LENGTH

REASON_BAD_ORIGIN: str =

Undocumented

Value

'Origin checking failed - %s does not match any trusted origins.'

REASON_BAD_REFERER: str =

Undocumented

Value

'Referer checking failed - %s does not match any trusted origins.'

REASON_CSRF_TOKEN_MISSING: str =

Undocumented

Value

'CSRF token missing.'

REASON_INCORRECT_LENGTH: str =

Undocumented

Value

'has incorrect length'

REASON_INSECURE_REFERER: str =

Undocumented

Value

'Referer checking failed - Referer is insecure while host is secure.'

REASON_INVALID_CHARACTERS: str =

Undocumented

Value

'has invalid characters'

REASON_MALFORMED_REFERER: str =

Undocumented

Value

'Referer checking failed - Referer is malformed.'

REASON_NO_CSRF_COOKIE: str =

Undocumented

Value

'CSRF cookie not set.'

REASON_NO_REFERER: str =

Undocumented

Value

'Referer checking failed - no Referer.'

invalid_token_chars_re =

Undocumented

logger =

Undocumented

def _add_new_csrf_cookie(request):

Generate a new random CSRF_COOKIE value, and add it to request.META.

def _does_token_match(request_csrf_token, csrf_token):

Undocumented

def _get_failure_view():

Return the view to be used for CSRF rejections.

def _get_new_csrf_string():

Undocumented

def _mask_cipher_secret(secret):

Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret.

def _sanitize_token(token):

Undocumented

def _unmask_cipher_token(token):

Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret.

def get_token(request):

Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set.

A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor.

def rotate_token(request):

Change the CSRF token in use for a request - should be done on login for security purposes.