Cross Site Request Forgery是一种利用网站对用户浏览器的信任的恶意攻击。
我正在尝试页面的登录方案,但由于每次运行测试时都会生成 csrf_token 和其他动态参数,因此出现错误。我如何获得这些 csrf...
通过以下简单的方法可以有效防止CSRF攻击: 在前端为每个请求生成一个 UUID 通过 cookie 和请求标头将此 UUID 发送到后端。
Angular 5 无法从 HttpXsrfTokenExtractor 获取 XSRF 令牌
我正在尝试通过绝对 URL 向 Spring(基本身份验证)安全的 Rest API 发出 POST 请求。 读到 Angular 省略了将 X-XSRF-TOKEN 插入请求标头自动...
问题是该项目之前正在运行..然后突然我开始在我的所有帖子请求中看到 419 并且我的所有表单上也有 @csrf 问题是该项目之前正在运行..然后突然我开始在我的所有帖子请求中看到 419 并且我的所有表单上也有@csrf <form method="POST" action="{{ route('login') }}"> @csrf <div class="form_title pb-2"> <h4>@lang('Login Here')</h4> </div> <div class="mb-4"> <input class="form-control" type="text" name="username" value="{{old('username')}}" placeholder="@lang('Email Or Username')"> @error('username')<p class="text-danger mt-1">@lang($message)</p>@enderror @error('email')<p class="text-danger mt-1">@lang($message)</p>@enderror </div> Allow your url in VerifyCsrfToken which is inside middleware.For example, if your url is /login then write in VerifyCsrfToken file something like below: protected $except = [ 'login' ];
Nuxt .js 和 Laravel API - CSRF 令牌不匹配
我正在尝试使用 nuxt.js 作为前端并使用 Laravel 作为 API 来制作登录页面。 但是,当我从 sainttum-cookie 获取 csrf 令牌后,由于“CSRF 令牌不匹配”,我无法使用它。 ....
我可以使用 CSRF 令牌作为 OAuth 流程中状态参数的值吗?
在实现 Azure OAuth 流程时,我使用了状态参数,Azure 文档介绍了状态参数: 请求中包含的值也会在令牌响应中返回。它可以是一个字符串...
如何为基于 Java 和 struts2 框架构建的旧 Web 应用程序提供针对跨站请求伪造 (CSRF) 攻击的保护 [重复]
如何为基于 Java 和 struts2 框架构建的旧 Web 应用程序提供针对跨站请求伪造 (CSRF) 攻击的保护? 尝试在 servlet 之前添加过滤器,卡在那里。
每当我每秒请求服务器 2-3 次时,axios 请求都会使用不同的 X-XSRF-TOKEN 标头,而不是使用 cookie。 让 axiosInst = axios.create({ 基本网址:...
Laravel csrf_field() - 仅适用于方法=“POST”的表单?
我对 CSRF 攻击一无所知,但我知道在 Laravel 中我们应该以以下形式包含一个隐藏的 CSRF 令牌字段: {{ csrf_field() }} ... 我对 CSRF 攻击一无所知,但我知道在 Laravel 中我们应该以以下形式包含一个隐藏的 CSRF 令牌字段: <form method="POST" action="/profile"> {{ csrf_field() }} ... </form> 我们应该使用 method="GET" 将其包含在表单中吗? <form method="GET" action="/search"> {{ csrf_field() }} ... </form> 例如,我有一个方法为“GET”的搜索输入(表单) - 因此所有内容都将在 URL 中可见,包括 CSRF 令牌...这对我来说根本不是问题,但我只是不确定将其放在“GET”形式中有意义吗? 嗯,您不需要使用 Form Get Request 添加 CSRF 令牌。跨站点请求伪造 (CSRF) 是一种恶意利用,代表经过身份验证的用户执行未经授权的命令。 您可以通过这里了解基本详细信息 实际上,CSRF 在 GET 和 POST 中都可以实现。 示例: <img src="https://somesite.com/adduser.php?username=test&password=test&role=admin"> 如果您有一个使用 GET 的不安全函数,那么您还可以通过简单地将其放入图像中来伪造对它的请求。 这就是为什么除了请求本身中的 CSRF 令牌之外,它通常被认为是在 cookie 甚至标头中结合实现: 原产地安全检查 会话 cookie 上的 SameSite 属性设置为“严格”
启用csrf时,在codeigniter4中从模态提交表单时出现303错误
我有一个 codeignter4 Web 应用程序,具有以下视图,其中有一个提交数据的模式。 函数删除确认(网址){ $('#btn-delete').attr('href', url); ...</desc> <question vote="1"> <p>我有一个 codeignter4 Web 应用程序,具有以下视图,其中有一个提交数据的模式。</p> <pre><code><script> function deleteConfirm(url){ $('#btn-delete').attr('href', url); $('#deleteModal').modal(); } </script> <!-- Begin Page Content --> <div class="container-fluid"> <!-- Page Heading --> <h1 class="h3 mb-4 text-gray-800"><?= esc($title); ?></h1> <div class="col-lg-7"> <?php if(session()->getFlashdata('message')):?> <?= session()->getFlashdata('message') ?> <?php endif; unset($_SESSION['message']); ?> </div> <div class="card col-lg-7 shadow mb-4"> <div class="card-header py-3"> <h6 class="m-0 font-weight-bold text-primary"><a href="" data-toggle="modal" data-target="#newRoleModal"><i class="fas fa-plus"></i> Add New</a></h6> </div> <div class="card-body"> <div class="table-responsive"> <table class="table table-bordered table-hover table-striped" id="dataTable" width="100%" cellspacing="0"> <!--<thead class="thead-dark">--> <thead class="bg-warning"> <tr> <th>#</th> <th>Authority</th> <th>Action</th> </tr> </thead> <tbody> <?php $index = 1; ?> <?php foreach($role as $r) : ?> <tr> <td><?= esc($index); ?></td> <td><?= esc($r['role']); ?></td> <td> <a class="badge badge-primary" style="font-size:14px;" href="<?= site_url('admin/roleaccess/'.$r['id']); ?>">Manage Access</a> <a class="badge badge-success" style="font-size:14px;" href="<?= site_url('admin/editrole/'.$r['id']); ?>">Update</a> <a class="badge badge-danger" style="font-size:14px;" href="#!" onclick="deleteConfirm('<?= site_url('admin/deleterole/'.$r['id']); ?>')">Delete</a> </td> </tr> <?php $index++; ?> <?php endforeach; ?> </tbody> </table> </div> </div> </div> </div> <!-- /.container-fluid --> </div> <!-- End of Main Content --> <!-- Modal add new role--> <div class="modal fade" id="newRoleModal" tabindex="-1" role="dialog" aria-labelledby="newRoleModalLabel" aria-hidden="true"> <div class="modal-dialog"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="newRoleModalLabel">Add New Authority</h5> <button type="button" class="close" data-dismiss="modal" aria-label="Close"> <span aria-hidden="true">&times;</span> </button> </div> <!-- form --> <?php $attributes = array('id' => 'myform'); ?> <?= form_open('admin/addrole'); ?> <div class="modal-body"> <div class="form-group"> <input type="text" class="form-control" id="role" name="role" placeholder="Name of Authority"> </div> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button> <button type="submit" class="btn btn-success">Add</button> </div> <? = form_close(); ?> </div> </div> </div> <!-- modal delete --> <div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true"> <div class="modal-dialog" role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="exampleModalLabel">Are you sure?</h5> <button class="close" type="button" data-dismiss="modal" aria-label="Close"> <span aria-hidden="true">×</span> </button> </div> <div class="modal-body">Deleted data cannot be recovered!!</div> <div class="modal-footer"> <button class="btn btn-secondary" type="button" data-dismiss="modal">Cancel</button> <a id="btn-delete" class="btn btn-danger" href="#">Remove</a> </div> </div> </div> </div> </code></pre> <p>启用 csrf 时,表单提交会重定向到视图本身。当我检查 Web 控制台“网络”选项卡时,它在 addrole 上显示 303 状态,这是处理表单提交数据的控制器方法。然而,当 csrf 被禁用时它工作正常。我怎样才能让它工作</p> <p>我的过滤器类</p> <pre><code><?php namespace Config; use CodeIgniter\Config\BaseConfig; use CodeIgniter\Filters\CSRF; use CodeIgniter\Filters\DebugToolbar; use CodeIgniter\Filters\Honeypot; use CodeIgniter\Filters\InvalidChars; use CodeIgniter\Filters\SecureHeaders; class Filters extends BaseConfig { /** * Configures aliases for Filter classes to * make reading things nicer and simpler. * * @var array */ public $aliases = [ 'csrf' => CSRF::class, 'toolbar' => DebugToolbar::class, 'honeypot' => Honeypot::class, 'invalidchars' => InvalidChars::class, 'secureheaders' => SecureHeaders::class, 'auth' => \App\Filters\Auth::class, ]; /** * List of filter aliases that are always * applied before and after every request. * * @var array */ /*public $globals = [ 'before' => [ // 'honeypot', 'csrf', // 'invalidchars', ], 'after' => [ //'toolbar', // 'honeypot', // 'secureheaders', ], ];*/ public $globals = [ 'before' => [ //'honeypot', 'csrf', //'isLoggedIn' => ['except' => ['/', 'admin','users', 'dashboard', 'logout','auth','Ticket/getStatusCounts']], //'isGranted' => ['except' => ['/', 'admin', 'users','dashboard', 'logout','auth', 'blocked', 'home', 'Welcome/*','Registration/*','profile','profile_save','profile_edit','Ticket/getStatusCounts']], ], 'after' => [ 'toolbar', // 'honeypot', ], ]; /** * List of filter aliases that works on a * particular HTTP method (GET, POST, etc.). * * Example: * 'post' => ['foo', 'bar'] * * If you use this, you should disable auto-routing because auto-routing * permits any HTTP method to access a controller. Accessing the controller * with a method you don’t expect could bypass the filter. * * @var array */ public $methods = []; /** * List of filter aliases that should run on any * before or after URI patterns. * * Example: * 'isLoggedIn' => ['before' => ['account/*', 'profiles/*']] * * @var array */ public $filters = []; } </code></pre> <p>我的配置/应用程序文件</p> <pre><code><?php namespace Config; use CodeIgniter\Config\BaseConfig; use CodeIgniter\Session\Handlers\FileHandler; class App extends BaseConfig { /** * -------------------------------------------------------------------------- * Base Site URL * -------------------------------------------------------------------------- * * URL to your CodeIgniter root. Typically this will be your base URL, * WITH a trailing slash: * * http://example.com/ * * If this is not set then CodeIgniter will try guess the protocol, domain * and path to your installation. However, you should always configure this * explicitly and never rely on auto-guessing, especially in production * environments. * * @var string */ public $baseURL = 'http://localhost/demo/public'; /** * -------------------------------------------------------------------------- * Index File * -------------------------------------------------------------------------- * * Typically this will be your index.php file, unless you've renamed it to * something else. If you are using mod_rewrite to remove the page set this * variable so that it is blank. * * @var string */ public $indexPage = 'index.php'; /** * -------------------------------------------------------------------------- * URI PROTOCOL * -------------------------------------------------------------------------- * * This item determines which getServer global should be used to retrieve the * URI string. The default setting of 'REQUEST_URI' works for most servers. * If your links do not seem to work, try one of the other delicious flavors: * * 'REQUEST_URI' Uses $_SERVER['REQUEST_URI'] * 'QUERY_STRING' Uses $_SERVER['QUERY_STRING'] * 'PATH_INFO' Uses $_SERVER['PATH_INFO'] * * WARNING: If you set this to 'PATH_INFO', URIs will always be URL-decoded! * * @var string */ public $uriProtocol = 'REQUEST_URI'; /** * -------------------------------------------------------------------------- * Default Locale * -------------------------------------------------------------------------- * * The Locale roughly represents the language and location that your visitor * is viewing the site from. It affects the language strings and other * strings (like currency markers, numbers, etc), that your program * should run under for this request. * * @var string */ public $defaultLocale = 'en'; /** * -------------------------------------------------------------------------- * Negotiate Locale * -------------------------------------------------------------------------- * * If true, the current Request object will automatically determine the * language to use based on the value of the Accept-Language header. * * If false, no automatic detection will be performed. * * @var bool */ public $negotiateLocale = false; /** * -------------------------------------------------------------------------- * Supported Locales * -------------------------------------------------------------------------- * * If $negotiateLocale is true, this array lists the locales supported * by the application in descending order of priority. If no match is * found, the first locale will be used. * * @var string[] */ public $supportedLocales = ['en']; /** * -------------------------------------------------------------------------- * Application Timezone * -------------------------------------------------------------------------- * * The default timezone that will be used in your application to display * dates with the date helper, and can be retrieved through app_timezone() * * @var string */ public $appTimezone = 'Asia/Kolkata'; /** * -------------------------------------------------------------------------- * Default Character Set * -------------------------------------------------------------------------- * * This determines which character set is used by default in various methods * that require a character set to be provided. * * @see http://php.net/htmlspecialchars for a list of supported charsets. * * @var string */ public $charset = 'UTF-8'; /** * -------------------------------------------------------------------------- * URI PROTOCOL * -------------------------------------------------------------------------- * * If true, this will force every request made to this application to be * made via a secure connection (HTTPS). If the incoming request is not * secure, the user will be redirected to a secure version of the page * and the HTTP Strict Transport Security header will be set. * * @var bool */ public $forceGlobalSecureRequests = false; /** * -------------------------------------------------------------------------- * Session Driver * -------------------------------------------------------------------------- * * The session storage driver to use: * - `CodeIgniter\Session\Handlers\FileHandler` * - `CodeIgniter\Session\Handlers\DatabaseHandler` * - `CodeIgniter\Session\Handlers\MemcachedHandler` * - `CodeIgniter\Session\Handlers\RedisHandler` * * @var string */ public $sessionDriver = FileHandler::class; /** * -------------------------------------------------------------------------- * Session Cookie Name * -------------------------------------------------------------------------- * * The session cookie name, must contain only [0-9a-z_-] characters * * @var string */ public $sessionCookieName = 'ci_session'; /** * -------------------------------------------------------------------------- * Session Expiration * -------------------------------------------------------------------------- * * The number of SECONDS you want the session to last. * Setting to 0 (zero) means expire when the browser is closed. * * @var int */ public $sessionExpiration = 7200; /** * -------------------------------------------------------------------------- * Session Save Path * -------------------------------------------------------------------------- * * The location to save sessions to and is driver dependent. * * For the 'files' driver, it's a path to a writable directory. * WARNING: Only absolute paths are supported! * * For the 'database' driver, it's a table name. * Please read up the manual for the format with other session drivers. * * IMPORTANT: You are REQUIRED to set a valid save path! * * @var string */ public $sessionSavePath = WRITEPATH . 'session'; /** * -------------------------------------------------------------------------- * Session Match IP * -------------------------------------------------------------------------- * * Whether to match the user's IP address when reading the session data. * * WARNING: If you're using the database driver, don't forget to update * your session table's PRIMARY KEY when changing this setting. * * @var bool */ public $sessionMatchIP = false; /** * -------------------------------------------------------------------------- * Session Time to Update * -------------------------------------------------------------------------- * * How many seconds between CI regenerating the session ID. * * @var int */ public $sessionTimeToUpdate = 300; /** * -------------------------------------------------------------------------- * Session Regenerate Destroy * -------------------------------------------------------------------------- * * Whether to destroy session data associated with the old session ID * when auto-regenerating the session ID. When set to FALSE, the data * will be later deleted by the garbage collector. * * @var bool */ public $sessionRegenerateDestroy = false; /** * -------------------------------------------------------------------------- * Cookie Prefix * -------------------------------------------------------------------------- * * Set a cookie name prefix if you need to avoid collisions. * * @var string * * @deprecated use Config\Cookie::$prefix property instead. */ public $cookiePrefix = ''; /** * -------------------------------------------------------------------------- * Cookie Domain * -------------------------------------------------------------------------- * * Set to `.your-domain.com` for site-wide cookies. * * @var string * * @deprecated use Config\Cookie::$domain property instead. */ public $cookieDomain = ''; /** * -------------------------------------------------------------------------- * Cookie Path * -------------------------------------------------------------------------- * * Typically will be a forward slash. * * @var string * * @deprecated use Config\Cookie::$path property instead. */ public $cookiePath = '/'; /** * -------------------------------------------------------------------------- * Cookie Secure * -------------------------------------------------------------------------- * * Cookie will only be set if a secure HTTPS connection exists. * * @var bool * * @deprecated use Config\Cookie::$secure property instead. */ public $cookieSecure = false; /** * -------------------------------------------------------------------------- * Cookie HttpOnly * -------------------------------------------------------------------------- * * Cookie will only be accessible via HTTP(S) (no JavaScript). * * @var bool * * @deprecated use Config\Cookie::$httponly property instead. */ public $cookieHTTPOnly = true; /** * -------------------------------------------------------------------------- * Cookie SameSite * -------------------------------------------------------------------------- * * Configure cookie SameSite setting. Allowed values are: * - None * - Lax * - Strict * - '' * * Alternatively, you can use the constant names: * - `Cookie::SAMESITE_NONE` * - `Cookie::SAMESITE_LAX` * - `Cookie::SAMESITE_STRICT` * * Defaults to `Lax` for compatibility with modern browsers. Setting `''` * (empty string) means default SameSite attribute set by browsers (`Lax`) * will be set on cookies. If set to `None`, `$cookieSecure` must also be set. * * @var string|null * * @deprecated use Config\Cookie::$samesite property instead. */ public $cookieSameSite = 'Lax'; /** * -------------------------------------------------------------------------- * Reverse Proxy IPs * -------------------------------------------------------------------------- * * If your server is behind a reverse proxy, you must whitelist the proxy * IP addresses from which CodeIgniter should trust headers such as * HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify * the visitor's IP address. * * You can use both an array or a comma-separated list of proxy addresses, * as well as specifying whole subnets. Here are a few examples: * * Comma-separated: '10.0.1.200,192.168.5.0/24' * Array: ['10.0.1.200', '192.168.5.0/24'] * * @var string|string[] */ public $proxyIPs = ''; /** * -------------------------------------------------------------------------- * CSRF Token Name * -------------------------------------------------------------------------- * * The token name. * * @deprecated Use `Config\Security` $tokenName property instead of using this property. * * @var string */ public $CSRFTokenName = 'csrf_test_name'; /** * -------------------------------------------------------------------------- * CSRF Header Name * -------------------------------------------------------------------------- * * The header name. * * @deprecated Use `Config\Security` $headerName property instead of using this property. * * @var string */ public $CSRFHeaderName = 'X-CSRF-TOKEN'; /** * -------------------------------------------------------------------------- * CSRF Cookie Name * -------------------------------------------------------------------------- * * The cookie name. * * @deprecated Use `Config\Security` $cookieName property instead of using this property. * * @var string */ public $CSRFCookieName = 'csrf_cookie_name'; /** * -------------------------------------------------------------------------- * CSRF Expire * -------------------------------------------------------------------------- * * The number in seconds the token should expire. * * @deprecated Use `Config\Security` $expire property instead of using this property. * * @var int */ public $CSRFExpire = 7200; /** * -------------------------------------------------------------------------- * CSRF Regenerate * -------------------------------------------------------------------------- * * Regenerate token on every submission? * * @deprecated Use `Config\Security` $regenerate property instead of using this property. * * @var bool */ public $CSRFRegenerate = false; /** * -------------------------------------------------------------------------- * CSRF Redirect * -------------------------------------------------------------------------- * * Redirect to previous page with error on failure? * * @deprecated Use `Config\Security` $redirect property instead of using this property. * * @var bool */ public $CSRFRedirect = false; /** * -------------------------------------------------------------------------- * CSRF SameSite * -------------------------------------------------------------------------- * * Setting for CSRF SameSite cookie token. Allowed values are: * - None * - Lax * - Strict * - '' * * Defaults to `Lax` as recommended in this link: * * @see https://portswigger.net/web-security/csrf/samesite-cookies * @deprecated `Config\Cookie` $samesite property is used. * * @var string */ public $CSRFSameSite = 'Lax'; /** * -------------------------------------------------------------------------- * Content Security Policy * -------------------------------------------------------------------------- * * Enables the Response's Content Secure Policy to restrict the sources that * can be used for images, scripts, CSS files, audio, video, etc. If enabled, * the Response object will populate default values for the policy from the * `ContentSecurityPolicy.php` file. Controllers can always add to those * restrictions at run time. * * For a better understanding of CSP, see these documents: * * @see http://www.html5rocks.com/en/tutorials/security/content-security-policy/ * @see http://www.w3.org/TR/CSP/ * * @var bool */ public $CSPEnabled = false; } </code></pre> <p>我的安全课程</p> <pre><code><?php namespace Config; use CodeIgniter\Config\BaseConfig; class Security extends BaseConfig { /** * -------------------------------------------------------------------------- * CSRF Protection Method * -------------------------------------------------------------------------- * * Protection Method for Cross Site Request Forgery protection. * * @var string 'cookie' or 'session' */ public $csrfProtection = 'cookie'; /** * -------------------------------------------------------------------------- * CSRF Token Randomization * -------------------------------------------------------------------------- * * Randomize the CSRF Token for added security. * * @var bool */ public $tokenRandomize = true; /** * -------------------------------------------------------------------------- * CSRF Token Name * -------------------------------------------------------------------------- * * Token name for Cross Site Request Forgery protection. * * @var string */ public $tokenName = 'csrf_test_name'; /** * -------------------------------------------------------------------------- * CSRF Header Name * -------------------------------------------------------------------------- * * Header name for Cross Site Request Forgery protection. * * @var string */ public $headerName = 'X-CSRF-TOKEN'; /** * -------------------------------------------------------------------------- * CSRF Cookie Name * -------------------------------------------------------------------------- * * Cookie name for Cross Site Request Forgery protection. * * @var string */ public $cookieName = 'csrf_cookie_name'; /** * -------------------------------------------------------------------------- * CSRF Expires * -------------------------------------------------------------------------- * * Expiration time for Cross Site Request Forgery protection cookie. * * Defaults to two hours (in seconds). * * @var int */ public $expires = 7200; /** * -------------------------------------------------------------------------- * CSRF Regenerate * -------------------------------------------------------------------------- * * Regenerate CSRF Token on every submission. * * @var bool */ public $regenerate = false; /** * -------------------------------------------------------------------------- * CSRF Redirect * -------------------------------------------------------------------------- * * Redirect to previous page with error on failure. * * @var bool */ public $redirect = true; /** * -------------------------------------------------------------------------- * CSRF SameSite * -------------------------------------------------------------------------- * * Setting for CSRF SameSite cookie token. * * Allowed values are: None - Lax - Strict - ''. * * Defaults to `Lax` as recommended in this link: * * @see https://portswigger.net/web-security/csrf/samesite-cookies * * @var string * * @deprecated `Config\Cookie` $samesite property is used. */ public $samesite = 'Lax'; } </code></pre> <p>请帮助我在启用 csrf 时使表单提交正常工作。</p> <p>我的 Codeigniter4 应用程序的视图具有提交表单数据的模式。当 csrf 启用时,这会发送 303 http 状态;但是,当禁用 csrf 时,表单会正确提交数据。 我应该在哪里更正才能使其在启用 csrf 的情况下工作。</p> </question> <answer tick="false" vote="0"> <p>您需要在ajax参数中添加csrf_token和hash,或者在表单中包含csrf_field。</p> <pre><code>For Ajax var token = '<?= csrf_token(); ?>'; var hash = '<?= csrf_hash(); ?>'; ajaxParam = { ... , [token] : hash }; $.ajax({....}); For Form submit add in form html <?= csrf_field(); ?> </code></pre> </answer> </body></html>
CSRF 会话令牌丢失错误。使用 axios 的 Expressjs 应用程序。不使用表格
我一直对这个错误消息感到抓狂。请耐心等待,因为我只是没那么聪明。 我有一个用 python 制作的 Flask 应用程序,并在应用程序中启用了 CSRFProtect...
Spring security 6.0 - 使用 MS Azure 和 CSRF 令牌进行 oauth2Login - 如何在 Postman 中登录?
我是 Spring Security 配置的初学者,我的目的是设置两件事: CSRF代币 微软Azure授权 首先,我在属性中添加了 oauth 客户端: spring.security.oauth2.cli...
omniauth:(linkedin)身份验证失败!无效的_凭证
请求阶段已启动。 于 2022-09-14 20:50:20 +0200 开始 GET "/users/auth/linkedin/callback?code=...&state=..." for 127.0.0.1 D、[2022-09-14T20:50:20.537126 #37240] 调试 -- 全能...
我正在使用 laravel 6。我希望我的 laravel CSRF 令牌每 60 秒过期一次。 配置/会话 “一生”=> 60,
不知道如何解决这个问题:/。 视图.py: #编码:utf-8 从 django.http 导入 HttpResponseRedirect 从 django.core.urlresolvers 导入反向 来自 django.views.generic.simple imp...
Python Django 给我 Forbidden (403) CSRF 验证失败。请求中止
Django 版本 = 2.2.2 使用 Google Chrome 时似乎会出现此问题。 我在所有表单标签中添加了 {% csrf_token %},如下所示: {% 扩展 'base.html' %} {% 块内容 %} Django 版本 = 2.2.2 使用 Google Chrome 时似乎会出现此问题。 我在所有表单标签中添加了 {% csrf_token %},如下所示: {% extends 'base.html' %} {% block content %} <form method="post"> {% csrf_token %} #-------------> here it is {% for field in login_form %} <p> {{field.label_tag}} {{field}} {% if field.help_text %} {field.help_text}} {% endif %} </p> {% endfor %} {% for field in login_form %} {% for error in field.errors %} <p>{{error}}</p> {% endfor %} {% endfor %} {% if login_form.non_field_errors %} <p>{{login_form.non_field_errors}}</p> {% endif %} <input type="submit" value="Login"> </form> {% endblock content %} 但是当我实际尝试使用该表单登录并单击提交按钮时,它应该将我重定向到主页。然而,它却给了我以下错误消息: *禁止 (403) CSRF验证失败。请求被中止。 帮助 失败原因给出: CSRF 令牌缺失或不正确。 一般来说,当存在真正的跨站请求伪造时,或者当Django的CSRF机制没有被正确使用时,就会发生这种情况。对于 POST 表单,您需要确保: 您的浏览器正在接受 cookie。 视图函数将请求传递给模板的渲染方法。 在模板中,每个针对内部 URL 的 POST 表单内都有一个 {% csrf_token %} 模板标记。 如果您不使用 CsrfViewMiddleware,则必须在使用 csrf_token 模板标记的任何视图以及接受 POST 数据的视图上使用 csrf_protect。 该表单具有有效的 CSRF 令牌。登录另一个浏览器选项卡或登录后点击后退按钮后,您可能需要使用表单重新加载页面,因为登录后令牌会轮换。 您看到此页面的帮助部分是因为您的 Django 设置文件中有 DEBUG = True。将其更改为 False,则仅显示初始错误消息。 您可以使用 CSRF_FAILURE_VIEW 设置自定义此页面。* 这是您面临的错误:https://docs.djangoproject.com/en/3.1/ref/csrf/#rejected-requests 您可以使用 @csrf_exempt 装饰器来防止 csrf 错误,并且使用它您可以完全删除 {% csrf_token %}。检查这个:https://docs.djangoproject.com/en/3.0/ref/csrf/#django.views.decorators.csrf.csrf_exempt 请确保这些行包含在您的设置文件中: CSRF_TRUSTED_ORIGINS = [ 'http://localhost:8000', '0.0.0.0', 'http://*youripaddress*', ] ALLOWED_HOSTS = [ 'localhost', '0.0.0.0', http://*youripaddress*', ] CORS_ORIGIN_WHITELIST = [ 'http://localhost:8000', '0.0.0.0', http://*youripaddress*', ] 默认情况下,Django 在生成项目时包含 ALLOWED_HOST 选项,但需要手动添加信任列表和白名单选项。
Django:未在 iframe 中设置 CSRF Cookie——无需 csrf 豁免的解决方法
我的项目正在几个第三方站点上部署 iframe,这些站点都是已知的并在 django 应用程序中注册。 在这些 iframe 中,用户可以触发一些 ajax 形式的事件。打开...
需要建议。禁止 (403) CSRF 验证失败。请求被中止。 Django 错误
我正在使用 django 制作一个网站,当我登录并返回然后尝试再次登录时,我收到此错误消息。 禁忌 (403) CSRF验证失败。请求被中止。 给出失败原因:...
Django CSRF 因 Docker 的 .env 文件而失败
嗨,我正在使用 Docker 通过 Docker-Compose 构建 Django Web 应用程序,它使用 .env.dev 文件作为环境变量。 问题是 CSRF_TRUSTED_ORIGINS 变量: 如果我放
您好,我在提交表单时遇到了申请的 CSRF 问题。我正在使用struts 1并且我不想更新struts,任何人都可以帮助我如何实现CSRF保护。我尝试过代币,但不行