stackoom
  简体   繁体   中英

How do you implement CSRF tokens in django rest framework?

 原文  2021-02-17 16:45:16       reactjs/ django/ authentication/ csrf/ http-token-authentication

Question

I have noticed that when using django and you make a post request, using a form for example, django asks you to add the csrf token, but when I was fetching data from an api created with django rest framework with react I realized that when I didn't send the csrf token there wasn't any error with the application.

In this app I am using token authentication with knox and I have seen some posts about how to use csrf token with session authentication.

My question is if token authentication does not need the csrf tokens or are they passed automaticaly by react? Thanks in advance.

1 answers

solution1
 0  2021-02-17 17:08:00

@Diegoa87 - You got it all mixed up.

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid. It is not needed for GET requests. It is not a form of authenticating or authorization a user. It is a form of validating a request. CSRF token is added to protect against CSRF attacks. And then there is something called SSRF

Token-Based Authentication - This is irrespective of the type of requests. It is to authenticate if the user is a valid user or not.

Authorization - This is to make sure that the requested user has the sufficient privilege to access a protected resource.

My question is if token authentication does not need the csrf tokens or are they passed automatically by react? Thanks in advance.

As far as I know, tokens are passed in the header and this is for every request (GET, POST, PUT, DELETE). Csrf token is added in an HTML form primarily for POST, PUT, DELETE. Something that can alter the state of a resource in the server. Hope this makes sense.

I am no expert in React but nothing is passed automatically. You have to add tokens in the header of your request.

Csrf token is tied to a request.

Tokens/JWT tokens are tied to a user making the request.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to send CSRF Cookie from React to Django Rest Framework with Axios How to implement different users in django rest framework? csrf token missing axios to django rest framework How to implement pagination in a Django and React app without using the REST framework? How to implement autocomplete user search in React and Django Rest Framework CSRF verification failed Django-rest-framework Djoser How to implement Django REST with React Do I need csrf tokens after login? Django Rest Framework doesn't recognize CSRF cookie sent from a a React app using Axios How to use Symfony CSRF Tokens with React JS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM