璺ㄧ珯璇锋眰浼狅紙CSRF锛

璺ㄧ珯璇锋眰浼狅紙CSRF锛夋槸涓绉嶅父瑙佺殑缃戠粶鏀诲嚮锛屽畠鍒╃敤鐢ㄦ埛鐨勮韩浠藉拰鏉冮檺锛屾楠楁湇鍔″櫒鎵ц闈為鏈熺殑鎿嶄綔銆侱jango 鎻愪緵浜嗕竴绉嶅唴缃殑 CSRF 淇濇姢鏈哄埗锛屽彲浠ュ府鍔╀繚鎶ゅ簲鐢ㄥ厤鍙 CSRF 鏀诲嚮銆

Django 鐨 CSRF 淇濇姢鏈哄埗鏄氳繃 CSRF 浠ょ墝锛圕SRF Token锛夊疄鐜扮殑锛屽畠鏄竴涓姞瀵嗗瓧绗︿覆锛屽寘鍚簡涓浜涘叧浜庣敤鎴蜂細璇濆拰璇锋眰鐨勪俊鎭傚湪姣忎釜 POST銆丳UT銆丳ATCH 鍜 DELETE 璇锋眰涓紝閮介渶瑕佸湪琛ㄥ崟鎴 AJAX 璇锋眰涓寘鍚繖涓 CSRF 浠ょ墝锛屼互渚挎湇鍔″櫒鍙互楠岃瘉璇锋眰鐨勫悎娉曟с
AD锛氶椤 | 涓涓鐩栧箍娉涗富棰樺伐鍏风殑楂樻晥鍦ㄧ嚎骞冲彴
鍦 Django 涓紝鍙互閫氳繃浠ヤ笅鍑犵鏂瑰紡鑾峰彇 CSRF 浠ょ墝锛

鍦 HTML 妯℃澘涓紝浣跨敤 {% csrf_token %} 鏍囩锛屽湪琛ㄥ崟涓彃鍏 CSRF 浠ょ墝銆

<form method="post">
    {% csrf_token %}
    {{ form.as_p }}
    <button type="submit">鎻愪氦</button>
</form>
鍦 AJAX 璇锋眰涓紝鍙互浠 csrfmiddlewaretoken 鐨 cookie 涓幏鍙 CSRF 浠ょ墝锛屽苟鍦ㄨ姹傚ご涓坊鍔 X-CSRFToken 瀛楁銆

function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie !== '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = cookies[i].trim();
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) === (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
}
 
function csrfSafeMethod(method) {
    // these HTTP methods do not require CSRF protection
    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
 
$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
        }
    }
});

鍦 Django 瑙嗗浘鍑芥暟涓紝鍙互浣跨敤 request.META 鑾峰彇 CSRF 浠ょ墝锛屽苟鍦ㄨ姹備腑楠岃瘉瀹冪殑鍚堟硶鎬с

from django.middleware.csrf import get_token
 
def my_view(request):
    token = get_token(request)
    # ...
    if request.method == 'POST':
        # ...
        if not request.is_csrf_token_valid():
            return HttpResponseBadRequest('Invalid CSRF token.')
Django 鐨 CSRF 淇濇姢鏈哄埗鍙互甯姪寮鍙戜汉鍛樺揩閫熷疄鐜板畨鍏ㄧ殑 Web 搴旂敤锛屼絾鏄篃闇瑕佹敞鎰忎竴浜涢棶棰橈紝渚嬪鍦ㄤ娇鐢 AJAX 璇锋眰鏃讹紝闇瑕佺‘淇濊姹傚ご涓寘鍚簡 CSRF 浠ょ墝锛屽惁鍒欐湇鍔″櫒浼氭嫆缁濆鐞嗚璇锋眰銆傚悓鏃讹紝鍦ㄤ娇鐢 CSRF 浠ょ墝鏃讹紝涔熼渶瑕佹敞鎰忛槻姝 CSRF 浠ょ墝琚硠闇诧紝渚嬪鍦ㄨ〃鍗曚腑浣跨敤 HTTP GET 鏂规硶鏃讹紝闇瑕佹敞鎰 CSRF 浠ょ墝鐨勯殣钘忔с

AD锛氫笓涓氭悳绱㈠紩鎿
鎬讳箣锛孌jango 鐨 CSRF 淇濇姢鏈哄埗鏄竴涓己澶х殑宸ュ叿锛屽彲浠ュ府鍔╁紑鍙戜汉鍛樺揩閫熷疄鐜板畨鍏ㄧ殑 Web 搴旂敤锛屼絾鏄篃闇瑕佹敞鎰忎竴浜涢棶棰橈紝浠ョ‘淇 CSRF 浠ょ墝鐨勫畨鍏ㄦс

璺ㄧ珯鑴氭湰锛圶SS锛
璺ㄧ珯鑴氭湰锛圶SS锛孋ross-site Scripting锛夋敾鍑绘槸涓绉嶅父瑙佺殑缃戠粶瀹夊叏濞佽儊锛屾敾鍑昏呴氳繃娉ㄥ叆鎭舵剰鑴氭湰鍒扮敤鎴风殑娴忚鍣ㄤ腑锛屾潵绐冨彇鐢ㄦ埛鐨勬晱鎰熶俊鎭垨鑰呮墽琛岄潪鎺堟潈鎿嶄綔銆侱jango 鎻愪緵浜嗕竴濂楀唴缃殑瀹夊叏鐗规ф潵甯姪闃叉 XSS 鏀诲嚮锛屽叾涓寘鎷繃婊ゅ櫒锛坒ilters锛夊拰妯℃澘鏍囩锛坱emplate tags锛夈

鍐呯疆杩囨护鍣細 Django 鐨勬ā鏉垮紩鎿庯紙濡 Django 鐨 {{ }} 妯℃澘鏍囩锛夋彁渚涗簡 safe 杩囨护鍣紝鐢ㄤ簬鏍囪瀛楃涓蹭负瀹夊叏鐨勶紝涓嶄細杩涜 HTML 瀹炰綋杞箟銆傚綋闇瑕佸湪妯℃澘涓樉绀虹敤鎴疯緭鍏ョ殑鍐呭锛屼絾涓嶆兂杩涜杞箟鏃讹紝鍙互浣跨敤 safe 杩囨护鍣ㄣ

<p>{{ user_input|safe }}</p>
濡傛灉 user_input 鍙兘鍖呭惈鎭舵剰鑴氭湰锛屼綘闇瑕佺‘淇濆畠鏄彲淇$殑锛屾垨鑰呭湪杈撳嚭涔嬪墠杩涜閫傚綋鐨勬竻鐞嗗拰楠岃瘉銆

妯℃澘鏍囩锛 Django 鎻愪緵浜 safe 鏍囩锛屽彲浠ュ皢鏁翠釜鍧楁爣璁颁负瀹夊叏锛屼笉浼氳繘琛岃浆涔夈

{% autoescape off %}
<p>{{ user_input|safe }}</p>
{% endautoescape %}
杩欓噷 autoescape off 鎸囦护鍏抽棴浜嗘ā鏉跨殑鑷姩杞箟鍔熻兘锛屽鏋滃湪鍧楀唴閮ㄤ娇鐢 safe 鏍囩锛屽彲浠ョ‘淇濈敤鎴疯緭鍏ヤ笉浼氳杞箟銆

Content Security Policy (CSP) 锛 Django 鐨 django.middleware.clickjacking.XSSMiddleware 鍜 django.middleware.security.SecurityMiddleware 涓寘鍚簡 Content Security Policy 鐨勬敮鎸侊紝鍙互闄愬埗椤甸潰鍙互鍔犺浇鐨勫唴瀹规潵婧愶紝闃叉鎭舵剰鑴氭湰鐨勬墽琛屻

HTML5 妯″紡锛 Django 鐨 X_FRAME_OPTIONS 璁剧疆鍙互鎺у埗椤甸潰鏄惁鍙互宓屽叆鍒板叾浠栭〉闈腑锛岄槻姝㈢偣鍑诲姭鎸侊紙Clickjacking锛夋敾鍑伙紝杩欐槸涓绉嶅彉鐩哥殑 XSS 鏀诲嚮銆

杈撳叆楠岃瘉锛 鍦ㄦ帴鏀剁敤鎴疯緭鍏ユ椂锛屽缁堣繘琛岄傚綋鐨勯獙璇佸拰娓呯悊锛岀‘淇濇暟鎹殑鏍煎紡鍜屽唴瀹圭鍚堥鏈燂紝閬垮厤鎭舵剰鑴氭湰鐨勬敞鍏ャ

灏界 Django 鎻愪緵浜嗚繖浜涘唴缃殑淇濇姢鏈哄埗锛屼絾寮鍙戜汉鍛樹粛鐒堕渶瑕佷繚鎸佽鎯曪紝鍥犱负鏀诲嚮鑰呭彲鑳戒細浣跨敤鍚勭鎵嬫缁曡繃杩欎簺闃插尽銆傚湪澶勭悊鐢ㄦ埛杈撳叆鏃讹紝濮嬬粓閬靛惊鈥滄渶灏忔潈闄愬師鍒欌濓紝鍙厑璁稿繀瑕佺殑鏁版嵁鍜屽姛鑳斤紝骞朵笖鍦ㄥ繀瑕佹椂浣跨敤绗笁鏂瑰簱锛堝 django-csp 鎴 django-xss-filter锛夎繘琛岄澶栫殑瀹夊叏澧炲己銆

SQL娉ㄥ叆
Django 浣跨敤 Object-Relational Mapping (ORM) 鎶鏈紝鍙互鏈夋晥甯姪寮鍙戜汉鍛橀伩鍏 SQL 娉ㄥ叆鏀诲嚮銆侽RM 鏄竴绉嶅湪搴旂敤绋嬪簭涓娇鐢ㄩ珮绾х紪绋嬭瑷锛堝 Python锛夋潵鎿嶄綔鏁版嵁搴撶殑鏂规硶锛屽畠鍙互灏 SQL 璇彞鐨勬瀯閫犺浆绉诲埌妗嗘灦鍐呴儴锛屼粠鑰屽噺灏戠洿鎺ョ紪鍐 SQL 璇彞鐨勯渶姹傘

AD锛氭极鐢婚椤
Django 鐨 ORM 灏嗗弬鏁板寲鏌ヨ浣滀负榛樿琛屼负锛岃繖鎰忓懗鐫鍦ㄦ瀯閫 SQL 璇彞鏃讹紝鐢ㄦ埛鎻愪緵鐨勬暟鎹細琚嚜鍔ㄨ浆涔夛紝閬垮厤浜嗙洿鎺ュ皢鐢ㄦ埛杈撳叆鎷兼帴鍒 SQL 璇彞涓紝杩欐槸 SQL 娉ㄥ叆鏀诲嚮鐨勪富瑕佸叆鍙c

浠ヤ笅鏄娇鐢 Django ORM 鏃跺簲璇ラ伒寰殑瀹夊叏鏈浣冲疄璺碉細

浣跨敤 ORM 鑰屼笉鏄師鐢 SQL锛氬敖鍙兘鍦颁娇鐢 Django ORM 鏉ユ搷浣滄暟鎹簱锛岃屼笉鏄洿鎺ョ紪鍐欏師鐢 SQL 璇彞銆侽RM 浼氬府鍔╀綘鑷姩杞箟鐢ㄦ埛杈撳叆锛岄伩鍏 SQL 娉ㄥ叆鏀诲嚮銆

浣跨敤鍙傛暟鍖栨煡璇細褰撻渶瑕佷娇鐢ㄥ師鐢 SQL 鏃讹紝濮嬬粓浣跨敤鍙傛暟鍖栨煡璇紝閬垮厤灏嗙敤鎴疯緭鍏ョ洿鎺ユ嫾鎺ュ埌 SQL 璇彞涓備緥濡傦紝浣跨敤 Django 鐨 execute 鏂规硶锛

from django.db import connection
 
with connection.cursor() as cursor:
    cursor.execute("SELECT * FROM myapp_model WHERE id = %s", [user_id])
    result = cursor.fetchone()
杩欓噷锛%s 鏄竴涓崰浣嶇锛孾user_id] 鏄竴涓垪琛紝鍏朵腑鍖呭惈鐢ㄦ埛杈撳叆鐨勬暟鎹紝ORM 浼氳嚜鍔ㄥ皢鍏惰浆涔夛紝閬垮厤 SQL 娉ㄥ叆鏀诲嚮銆

浣跨敤棰勫畾涔夌殑鏌ヨ锛氫娇鐢 Django ORM 鎻愪緵鐨勬煡璇㈡柟娉曪紝濡 get銆乫ilter銆乪xclude 绛夛紝鑰屼笉鏄洿鎺ヤ娇鐢ㄥ師鐢熺殑 SQL 鏌ヨ銆傝繖浜涙煡璇㈡柟娉曚篃浼氳嚜鍔ㄨ浆涔夌敤鎴疯緭鍏ワ紝閬垮厤 SQL 娉ㄥ叆鏀诲嚮銆

杈撳叆楠岃瘉锛氬湪鎺ユ敹鐢ㄦ埛杈撳叆鏃讹紝濮嬬粓杩涜閫傚綋鐨勯獙璇佸拰娓呯悊锛岀‘淇濇暟鎹殑鏍煎紡鍜屽唴瀹圭鍚堥鏈燂紝閬垮厤鎭舵剰杈撳叆銆

铏界劧 Django ORM 鍙互鏈夋晥甯姪寮鍙戜汉鍛橀伩鍏 SQL 娉ㄥ叆鏀诲嚮锛屼絾涓嶈兘瀹屽叏娑堥櫎杩欑椋庨櫓銆傚洜姝わ紝鍦ㄥ鐞嗙敤鎴疯緭鍏ユ椂锛屽缁堝簲璇ラ伒寰滄渶灏忔潈闄愬師鍒欌濓紝鍙厑璁稿繀瑕佺殑鏁版嵁鍜屽姛鑳斤紝骞跺湪蹇呰鏃朵娇鐢ㄧ涓夋柟搴擄紙濡 django-sql-security锛夎繘琛岄澶栫殑瀹夊叏澧炲己銆

鏂囦欢涓婁紶鏀诲嚮
Django 鎻愪緵浜嗕竴浜涘唴缃殑瀹夊叏鐗规ф潵甯姪澶勭悊鏂囦欢涓婁紶锛屼互鍑忓皯鏂囦欢涓婁紶鏀诲嚮鐨勯闄┿備互涓嬫槸涓浜涘叧閿殑瀹夊叏鎺柦鍜屾渶浣冲疄璺碉細

鏂囦欢瀛樺偍鍜岃矾寰勫畨鍏細

閬垮厤浣跨敤鐢ㄦ埛鎻愪緵鐨勬枃浠跺悕锛氫笉瑕佺洿鎺ヤ娇鐢ㄧ敤鎴蜂笂浼犵殑鏂囦欢鍚嶆潵淇濆瓨鏂囦欢锛屽洜涓鸿繖鍙兘瀵艰嚧璺緞閬嶅巻鏀诲嚮銆傚簲璇ョ敓鎴愪竴涓殢鏈虹殑鏂囦欢鍚嶏紝骞剁‘淇濇枃浠跺瓨鍌ㄥ湪瀹夊叏鐨勭洰褰曚腑銆
闄愬埗鏂囦欢瀛樺偍浣嶇疆锛氱‘淇濇枃浠跺瓨鍌ㄥ湪搴旂敤绋嬪簭鐨勫彈鎺х洰褰曚腑锛岄伩鍏嶅皢鏂囦欢瀛樺偍鍦ㄥ彲鐢盬eb鏈嶅姟鍣ㄧ洿鎺ヨ闂殑浣嶇疆锛岃繖鏍峰彲浠ラ槻姝㈢洿鎺ヨ闂笂浼犵殑鏂囦欢銆
鏂囦欢绫诲瀷鍜屽ぇ灏忛檺鍒讹細

妫鏌ユ枃浠剁被鍨嬶細浣跨敤 mimetype銆乧ontent_type 鎴栨枃浠剁殑鎵╁睍鍚嶆潵楠岃瘉鏂囦欢绫诲瀷锛岀‘淇濆彧鎺ュ彈棰勬湡鐨勬枃浠剁被鍨嬨
闄愬埗鏂囦欢澶у皬锛氬湪 settings.py 涓缃 FILE_UPLOAD_MAX_MEMORY_SIZE 鍜 FILE_UPLOAD_MAX_NUMBER_PER_FIELD 鏉ラ檺鍒跺崟涓枃浠朵笂浼犵殑澶у皬鍜屾瘡涓〃鍗曞瓧娈靛彲浠ヤ笂浼犵殑鏂囦欢鏁伴噺銆
鏂囦欢鍐呭楠岃瘉锛

妫鏌ユ枃浠跺唴瀹癸細瀵逛簬鏌愪簺鏂囦欢绫诲瀷锛堝鍥惧儚锛夛紝鍙互浣跨敤搴擄紙濡 PIL锛夋潵妫鏌ユ枃浠跺唴瀹规槸鍚︾鍚堥鏈熸牸寮忥紝浠ラ槻姝㈠祵鍏ユ伓鎰忎唬鐮併
浣跨敤 Django 鐨 FileField 鍜 ImageField锛

杩欎簺瀛楁绫诲瀷鎻愪緵浜嗗唴缃殑楠岃瘉锛屽彲浠ユ鏌ユ枃浠剁殑 mimetype 鍜屽ぇ灏忋
瀹夊叏澶勭悊涓婁紶鐨勬枃浠讹細

涓嶈鎵ц涓嶅彲淇$殑鏂囦欢锛氭案杩滀笉瑕佸湪鏈嶅姟鍣ㄤ笂鎵ц鐢ㄦ埛涓婁紶鐨勬枃浠讹紝杩欏彲鑳藉鑷翠唬鐮佹墽琛屾敾鍑汇
闅旂涓婁紶鏂囦欢锛氬鏋滃彲鑳斤紝灏嗕笂浼犵殑鏂囦欢瀛樺偍鍦ㄩ殧绂荤殑鐜涓紝浠ュ噺灏戞綔鍦ㄧ殑瀹夊叏椋庨櫓銆
浣跨敤 Django 鐨勪腑闂翠欢鍜岃鍥撅細

Django 鐨勪腑闂翠欢鍙互鐢ㄦ潵鍦ㄦ枃浠朵笂浼犲埌瑙嗗浘涔嬪墠杩涜棰濆鐨勫畨鍏ㄦ鏌ャ
浣跨敤 Django 鐨勮鍥捐楗板櫒锛屽 @login_required锛屾潵纭繚鍙湁璁よ瘉鐢ㄦ埛鎵嶈兘涓婁紶鏂囦欢銆
瀹氭湡鏇存柊鍜屽畨鍏ㄥ璁★細

瀹氭湡鏇存柊 Django 鍜屾墍鏈変緷璧栧簱锛屼互纭繚浣跨敤鏈鏂扮殑瀹夊叏淇銆
杩涜瀹夊叏瀹¤锛屾鏌ユ枃浠朵笂浼犲姛鑳芥槸鍚﹀瓨鍦ㄦ綔鍦ㄧ殑瀹夊叏婕忔礊銆
閫氳繃閬靛惊杩欎簺鏈浣冲疄璺碉紝鍙互澶уぇ闄嶄綆鏂囦欢涓婁紶鏀诲嚮鐨勯闄┿傜劧鑰岋紝瀹夊叏鏄竴涓寔缁殑杩囩▼锛岄渶瑕佷笉鏂湴璇勪及鍜屾敼杩涖

HTTPOnly cookie
Django 妗嗘灦鏀寔 HTTPOnly cookie锛岃繖鏄竴绉嶆湁鍔╀簬鎻愰珮缃戠珯瀹夊叏鎬х殑鎺柦銆侶TTPOnly cookie 鏄竴绉嶇壒娈婄殑 cookie锛屽畠閫氳繃鍦ㄨ缃 cookie 鏃舵坊鍔 HttpOnly 鏍囧織鏉ュ疄鐜般傝繖涓爣蹇楀憡璇夋祻瑙堝櫒锛岃 cookie 涓嶅簲璇ラ氳繃瀹㈡埛绔剼鏈紙濡 JavaScript锛夎闂

浠ヤ笅鏄 HTTPOnly cookie 鐨勪竴浜涘叧閿偣锛

闃叉 XSS 鏀诲嚮锛 HTTPOnly cookie 鍙互闃叉璺ㄧ珯鑴氭湰锛圶SS锛夋敾鍑伙紝鍥犱负鏀诲嚮鑰呮棤娉曢氳繃娉ㄥ叆鎭舵剰鑴氭湰鏉ヨ鍙栫敤鎴风殑 cookie銆傝繖鏈夊姪浜庝繚鎶ょ敤鎴风殑浼氳瘽淇℃伅涓嶈绐冨彇銆

澧炲己浼氳瘽瀹夊叏锛 褰撶敤鎴风櫥褰曞埌涓涓綉绔欐椂锛屾湇鍔″櫒閫氬父浼氬垱寤轰竴涓細璇 cookie锛岀敤浜庡湪鍚庣画璇锋眰涓瘑鍒敤鎴枫傚鏋滆繖涓 cookie 鏄 HTTPOnly 鐨勶紝閭d箞鍗充娇缃戠珯瀛樺湪 XSS 婕忔礊锛屾敾鍑昏呬篃鏃犳硶閫氳繃 JavaScript 鑾峰彇杩欎釜 cookie銆

Django 涓殑璁剧疆锛 Django 榛樿浼氫负 session cookie 鍜 CSRF token cookie 鍚敤 HTTPOnly 鏍囧織銆備綘鍙互鍦 Django 鐨勮缃枃浠 settings.py 涓壘鍒颁互涓嬮厤缃細

SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_HTTPONLY = True
杩欎簺璁剧疆纭繚浜 Django 鐢熸垚鐨 session cookie 鍜 CSRF token cookie 閮芥槸 HTTPOnly 鐨勩

鎵嬪姩璁剧疆 HTTPOnly cookie锛 濡傛灉浣犻渶瑕佸湪 Django 瑙嗗浘涓墜鍔ㄨ缃 cookie锛屽苟涓斿笇鏈涘畠鏄 HTTPOnly 鐨勶紝浣犲彲浠ヨ繖鏍峰仛锛

response = HttpResponse()
response.set_cookie('my_cookie', 'value', httponly=True)
鍦ㄨ繖涓緥瀛愪腑锛宮y_cookie 灏嗚璁剧疆涓 HTTPOnly cookie銆

铏界劧 HTTPOnly cookie 鎻愪緵浜嗛澶栫殑瀹夊叏灞傦紝浣嗗畠骞朵笉鑳藉畬鍏ㄩ槻姝㈡墍鏈夌被鍨嬬殑鏀诲嚮銆備緥濡傦紝瀹冧笉鑳介槻姝腑闂翠汉鏀诲嚮鎴栭氳繃鍏朵粬鏂瑰紡锛堝缃戠粶鍡呮帰锛夎幏鍙 cookie銆傚洜姝わ紝闄や簡浣跨敤 HTTPOnly cookie 涔嬪锛岃繕搴旇閲囧彇鍏朵粬瀹夊叏鎺柦锛屽浣跨敤 HTTPS銆佸疄鏂藉唴瀹瑰畨鍏ㄧ瓥鐣ワ紙CSP锛夌瓑锛屼互杩涗竴姝ユ彁楂樼綉绔欑殑瀹夊叏鎬с

瀵嗙爜瀹夊叏鎬
Django 鎻愪緵浜嗗唴缃殑瀹夊叏瀵嗙爜瀛樺偍鍔熻兘锛岃繖鏄氳繃鍏跺唴缃殑 django.contrib.auth 搴撲腑鐨 User 妯″瀷鍜屽瘑鐮佸搱甯屽鐞嗘満鍒跺疄鐜扮殑銆傚綋鐢ㄦ埛娉ㄥ唽骞惰缃瘑鐮佹椂锛孌jango骞朵笉浼氱洿鎺ュ瓨鍌ㄦ槑鏂囧瘑鐮侊紝鑰屾槸瀛樺偍瀵嗙爜鐨勫搱甯屽煎拰涓涓殢鏈虹洂鍊硷紙salt锛夈

浠ヤ笅鏄 Django 瀹夊叏瀵嗙爜瀛樺偍鐨勫叧閿偣锛

鍝堝笇绠楁硶锛 Django 浣跨敤浜 bcrypt 鍜 PBKDF2锛堝彇鍐充簬浣犵殑 Django 鐗堟湰锛夎繖鏍风殑瀹夊叏鍝堝笇绠楁硶鏉ュ姞瀵嗗瘑鐮併傝繖浜涚畻娉曠粡杩囩簿蹇冭璁★紝鍗充娇鏀诲嚮鑰呯煡閬撳搱甯屽硷紝涔熸棤娉曡交鏄撳湴閫氳繃鏆村姏鐮磋В鎴栧僵铏硅〃鏉ユ仮澶嶅師濮嬪瘑鐮併

鐩愬硷細 姣忎釜鐢ㄦ埛鐨勫瘑鐮佸搱甯屽奸兘浼氫笌涓涓敮涓鐨勯殢鏈虹洂鍊肩粨鍚堬紝杩欐牱鍗充娇鐩稿悓鐨勫瘑鐮侊紝鐢变簬鐩愬间笉鍚岋紝鐢熸垚鐨勫搱甯屽间篃浼氫笉鍚屻傝繖杩涗竴姝ュ鍔犱簡鐮磋В鐨勯毦搴︺

set_password() 鏂规硶锛 褰撶敤鎴疯缃瘑鐮佹椂锛孌jango 鎻愪緵浜 set_password() 鏂规硶锛屽畠浼氳嚜鍔ㄥ鐞嗗瘑鐮佺殑鍝堝笇鍜岀洂鍊肩敓鎴愩傜ず渚嬩唬鐮佸涓嬶細

user = User.objects.create_user(username='myuser', password='mypassword')
user.set_password('mypassword')
user.save()
楠岃瘉瀵嗙爜锛 褰撶敤鎴峰皾璇曠櫥褰曟椂锛孌jango 浼氳绠椾粬浠彁渚涚殑瀵嗙爜涓庢暟鎹簱涓瓨鍌ㄧ殑鍝堝笇鍊煎拰鐩愬肩殑鍖归厤銆傝繖閫氳繃 authenticate() 鍑芥暟瀹屾垚锛岃屼笉鏄洿鎺ユ瘮杈冨瘑鐮併

check_password() 鏂规硶锛 涓轰簡楠岃瘉瀵嗙爜锛屽彲浠ヤ娇鐢 check_password() 鏂规硶锛屽锛

if user.check_password('mynewpassword'):
    # 瀵嗙爜姝g‘
else:
    # 瀵嗙爜閿欒
閫氳繃杩欑鏂瑰紡锛孌jango 鏈夋晥鍦颁繚鎶や簡鐢ㄦ埛鐨勫瘑鐮侊紝鍗充娇鏁版嵁搴撹娉勯湶锛屾敾鍑昏呬篃鏃犳硶鐩存帴鑾峰彇鍒扮敤鎴风殑瀵嗙爜锛屼粠鑰屾彁楂樹簡瀹夊叏鎬с

瀹夊叏浼氳瘽
Django 浣跨敤鍔犲瘑鍜岀鍚嶇殑鏂瑰紡鏉ヤ繚鎶や細璇濇暟鎹紝浠ョ‘淇濅細璇濈殑瀹夊叏鎬с備笅闈㈡槸 Django 涓畨鍏ㄤ細璇濈殑瀹炵幇鏂瑰紡锛

鍔犲瘑浼氳瘽鏁版嵁锛 Django 榛樿浼氬皢浼氳瘽鏁版嵁鍔犲瘑鍚庡瓨鍌ㄥ湪鐢ㄦ埛鐨勬祻瑙堝櫒涓傝繖鏍峰嵆浣跨敤鎴峰彲浠ユ煡鐪嬫祻瑙堝櫒鐨 cookie 鏁版嵁锛屼篃鏃犳硶鐩存帴璇诲彇鍜岀悊瑙e叾涓殑鍐呭銆侱jango 浣跨敤瀵嗛挜鏉ュ姞瀵嗗拰瑙e瘑浼氳瘽鏁版嵁锛岀‘淇濇暟鎹殑鏈哄瘑鎬с
绛惧悕浼氳瘽鏁版嵁锛 闄や簡鍔犲瘑鏁版嵁澶栵紝Django 杩樹細瀵逛細璇濇暟鎹繘琛岀鍚嶃傜鍚嶆槸閫氳繃浣跨敤瀵嗛挜鍜屽搱甯岀畻娉曟潵鐢熸垚涓涓鍚嶅硷紝鐢ㄤ簬楠岃瘉鏁版嵁鐨勫畬鏁存у拰鐪熷疄鎬с傚鏋滀細璇濇暟鎹湪浼犺緭杩囩▼涓绡℃敼锛岀鍚嶉獙璇佸皢澶辫触锛屼粠鑰岄槻姝㈡暟鎹绡℃敼銆
SESSION_ENGINE 璁剧疆锛 鍦 Django 鐨勮缃枃浠朵腑锛屽彲浠ラ氳繃 SESSION_ENGINE 璁剧疆鏉ラ夋嫨浼氳瘽寮曟搸銆傞粯璁ゆ儏鍐典笅锛孌jango 浣跨敤 django.contrib.sessions.backends.db 浣滀负浼氳瘽寮曟搸锛屽皢鍔犲瘑鍜岀鍚嶇殑浼氳瘽鏁版嵁瀛樺偍鍦ㄦ暟鎹簱涓備篃鍙互閫夋嫨鍏朵粬浼氳瘽寮曟搸锛屽 django.contrib.sessions.backends.cache 鎴 django.contrib.sessions.backends.file銆
SESSION_COOKIE_SECURE 璁剧疆锛 鍙互閫氳繃璁剧疆 SESSION_COOKIE_SECURE = True 鏉ョ‘淇濅細璇 cookie 鍙兘閫氳繃 HTTPS 杩炴帴浼犺緭锛屽鍔犱細璇濇暟鎹殑瀹夊叏鎬с
SESSION_COOKIE_HTTPONLY 璁剧疆锛 鍚屾牱鍙互閫氳繃璁剧疆 SESSION_COOKIE_HTTPONLY = True 鏉ョ姝 JavaScript 璁块棶浼氳瘽 cookie锛屽噺灏 XSS 鏀诲嚮鐨勫彲鑳芥с
閫氳繃鍔犲瘑鍜岀鍚嶄細璇濇暟鎹紝Django 纭繚浜嗙敤鎴风殑浼氳瘽淇℃伅鍦ㄤ紶杈撳拰瀛樺偍杩囩▼涓殑瀹夊叏鎬э紝闃叉鏁忔劅鏁版嵁娉勯湶鍜岀鏀广傝繖鏄繚鎶ょ敤鎴烽殣绉佸拰纭繚绯荤粺瀹夊叏鐨勯噸瑕佹帾鏂戒箣涓銆


浠ヤ笂灏辨槸Django 缃戠珯瀹夊叏鎬у竷闃茬殑璇︾粏鍐呭锛屾洿澶氫俊鎭鍏虫敞OD浜戝叾瀹冪浉鍏虫枃绔狅紒



鏈枃URL锛http://www.odweb.cn/news_show.html?id=420