Django 允许的主机
[英]Django Allowed Hosts
问题描述
I want only my front.domain.com to access the django API so i updated my settings.py .
我只希望我的front.domain.com访问 django API 所以我更新了我的settings.py 。 When i deployed i can access the django API via curl and postman so i'm confused here is there anything i'm missing !当我部署我可以访问 django API 通过 curl 和 Z03D476861AFD38451Z 所以我错过了什么我'10F2CB80CCFA85'
settings.py设置.py
DEBUG = False # deployment
if DEBUG:
FRONT_OFFICE_URL = 'http://127.0.0.1:4200/'
ALLOWED_HOSTS = ['*'] # development
CORS_ORIGIN_ALLOW_ALL = True # development
else:
FRONT_OFFICE_URL = 'https://front.domaine.com'
ALLOWED_HOSTS = [FRONT_OFFICE_URL ] # deployment
CORS_ORIGIN_WHITELIST = [FRONT_OFFICE_URL]
CSRF_TRUSTED_ORIGINS = [FRONT_OFFICE_URL ]
INSTALLED_APPS = [
...
'corsheaders',
]
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
...
]
1 个解决方案
解决方案1
0 2020-06-20 17:55:58
CORS prevents browsers from accessing resources on other domains. CORS 阻止浏览器访问其他域上的资源。 But any other http request will not be blocked by CORS.但是任何其他 http 请求都不会被 CORS 阻止。 If you need to block requests where Referer is not your domain, you can write some middleware to do that, but beware that it can easily be faked - Postman and Curl both lets you set the Referer header to any value.如果您需要阻止Referer不是您的域的请求,您可以编写一些中间件来执行此操作,但要注意它很容易被伪造 - Postman 和 Curl 都允许您将Referer Z099FB995346F31C749F6E40EDB3 设置为任何值。
If you need to secure requests to the API in Django, setting up CSRF protection is the way to go.如果您需要保护对 Django 中 API 的请求,设置 CSRF 保护是 go 的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.