django.middleware.csrf

module documentation

(source)

Cross Site Request Forgery Middleware. This module provides a middleware that implements protection against request forgeries from other sites.

Class	`CsrfViewMiddleware`	Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie.
Exception	`InvalidTokenFormat`	Undocumented
Exception	`RejectRequest`	Undocumented
Function	`get_token`	Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set.
Function	`rotate_token`	Change the CSRF token in use for a request - should be done on login for security purposes.
Constant	`CSRF_ALLOWED_CHARS`	Undocumented
Constant	`CSRF_SECRET_LENGTH`	Undocumented
Constant	`CSRF_SESSION_KEY`	Undocumented
Constant	`CSRF_TOKEN_LENGTH`	Undocumented
Constant	`REASON_BAD_ORIGIN`	Undocumented
Constant	`REASON_BAD_REFERER`	Undocumented
Constant	`REASON_CSRF_TOKEN_MISSING`	Undocumented
Constant	`REASON_INCORRECT_LENGTH`	Undocumented
Constant	`REASON_INSECURE_REFERER`	Undocumented
Constant	`REASON_INVALID_CHARACTERS`	Undocumented
Constant	`REASON_MALFORMED_REFERER`	Undocumented
Constant	`REASON_NO_CSRF_COOKIE`	Undocumented
Constant	`REASON_NO_REFERER`	Undocumented
Variable	`invalid_token_chars_re`	Undocumented
Variable	`logger`	Undocumented
Function	`_add_new_csrf_cookie`	Generate a new random CSRF_COOKIE value, and add it to request.META.
Function	`_check_token_format`	Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked.
Function	`_does_token_match`	Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary.
Function	`_get_failure_view`	Return the view to be used for CSRF rejections.
Function	`_get_new_csrf_string`	Undocumented
Function	`_mask_cipher_secret`	Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret.
Function	`_unmask_cipher_token`	Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret.

def get_token(request): (source) ¶

Return the CSRF token required for a POST form. The token is an alphanumeric value. A new token is created if one is not already set. A side effect of calling this function is to make the csrf_protect decorator and the CsrfViewMiddleware add a CSRF cookie and a 'Vary: Cookie' header to the outgoing response. For this reason, you may need to use this function lazily, as is done by the csrf context processor.

def rotate_token(request): (source) ¶

Change the CSRF token in use for a request - should be done on login for security purposes.

CSRF_ALLOWED_CHARS = (source) ¶

Undocumented

Value

string.ascii_letters+string.digits

CSRF_SECRET_LENGTH: int = (source) ¶

Undocumented

Value

CSRF_SESSION_KEY: str = (source) ¶

Undocumented

Value

'_csrftoken'

CSRF_TOKEN_LENGTH = (source) ¶

Undocumented

Value

2*CSRF_SECRET_LENGTH

REASON_BAD_ORIGIN: str = (source) ¶

Undocumented

Value

'Origin checking failed - %s does not match any trusted origins.'

REASON_BAD_REFERER: str = (source) ¶

Undocumented

Value

'Referer checking failed - %s does not match any trusted origins.'

REASON_CSRF_TOKEN_MISSING: str = (source) ¶

Undocumented

Value

'CSRF token missing.'

REASON_INCORRECT_LENGTH: str = (source) ¶

Undocumented

Value

'has incorrect length'

REASON_INSECURE_REFERER: str = (source) ¶

Undocumented

Value

'Referer checking failed - Referer is insecure while host is secure.'

REASON_INVALID_CHARACTERS: str = (source) ¶

Undocumented

Value

'has invalid characters'

REASON_MALFORMED_REFERER: str = (source) ¶

Undocumented

Value

'Referer checking failed - Referer is malformed.'

REASON_NO_CSRF_COOKIE: str = (source) ¶

Undocumented

Value

'CSRF cookie not set.'

REASON_NO_REFERER: str = (source) ¶

Undocumented

Value

'Referer checking failed - no Referer.'

invalid_token_chars_re = (source) ¶

Undocumented

logger = (source) ¶

Undocumented

def _add_new_csrf_cookie(request): (source) ¶

Generate a new random CSRF_COOKIE value, and add it to request.META.

def _check_token_format(token): (source) ¶

Raise an InvalidTokenFormat error if the token has an invalid length or characters that aren't allowed. The token argument can be a CSRF cookie secret or non-cookie CSRF token, and either masked or unmasked.

def _does_token_match(request_csrf_token, csrf_secret): (source) ¶

Return whether the given CSRF token matches the given CSRF secret, after unmasking the token if necessary. This function assumes that the request_csrf_token argument has been validated to have the correct length (CSRF_SECRET_LENGTH or CSRF_TOKEN_LENGTH characters) and allowed characters, and that if it has length CSRF_TOKEN_LENGTH, it is a masked secret.

def _get_failure_view(): (source) ¶

Return the view to be used for CSRF rejections.

def _get_new_csrf_string(): (source) ¶

Undocumented

def _mask_cipher_secret(secret): (source) ¶

Given a secret (assumed to be a string of CSRF_ALLOWED_CHARS), generate a token by adding a mask and applying it to the secret.

def _unmask_cipher_token(token): (source) ¶

Given a token (assumed to be a string of CSRF_ALLOWED_CHARS, of length CSRF_TOKEN_LENGTH, and that its first half is a mask), use it to decrypt the second half to produce the original secret.