Flask高效实现CSRF防护指南
Flask项目中CSRF Token实现的解决方案
在Web开发中,跨站请求伪造(CSRF)是一种常见的安全威胁。Flask框架提供了多种方式来实现CSRF防护,以下是一些高效且易于集成的解决方案。
使用Flask-WTF扩展实现CSRF防护
Flask-WTF是Flask框架的一个扩展,内置了CSRF防护功能。通过简单的配置即可启用CSRF保护。安装Flask-WTF后,在应用中配置密钥并启用CSRF保护。
from flask import Flask
from flask_wtf.csrf import CSRFProtect
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'
csrf = CSRFProtect(app)
在表单中添加CSRF Token字段,确保每次提交表单时都会验证Token的有效性。
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<!-- 其他表单字段 -->
</form>
手动实现CSRF Token验证
如果不使用Flask-WTF,可以手动实现CSRF Token的生成和验证。生成Token时使用安全的随机字符串,并将其存储在用户的会话中。
import os
from flask import Flask, session, request, abort
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)
@app.before_request
def csrf_protect():
if request.method == "POST":
token = session.pop('_csrf_token', None)
if not token or token != request.form.get('_csrf_token'):
abort(403)
def generate_csrf_token():
if '_csrf_token' not in session:
session['_csrf_token'] = os.urandom(24).hex()
return session['_csrf_token']
app.jinja_env.globals['csrf_token'] = generate_csrf_token
在模板中,通过调用csrf_token函数生成Token并嵌入表单中。
<form method="post">
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<!-- 其他表单字段 -->
</form>
使用Flask-SeaSurf扩展
Flask-SeaSurf是另一个专门用于CSRF防护的Flask扩展,配置简单且功能强大。安装后,只需初始化扩展即可启用全局CSRF保护。
from flask import Flask
from flask_seasurf import SeaSurf
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'
csrf = SeaSurf(app)
在表单中添加CSRF Token字段,SeaSurf会自动处理Token的生成和验证。
<form method="post">
<input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
<!-- 其他表单字段 -->
</form>
AJAX请求中的CSRF防护
对于AJAX请求,需要在请求头中携带CSRF Token。可以通过JavaScript获取Token并将其添加到请求头中。
var csrf_token = document.querySelector('meta[name="csrf-token"]').content;
fetch('/submit', {
method: 'POST',
headers: {
'X-CSRFToken': csrf_token
},
body: JSON.stringify(data)
});
在Flask应用中,确保验证请求头中的Token。
@app.before_request
def check_csrf():
if request.method == "POST":
token = session.get('_csrf_token')
if not token or token != request.headers.get('X-CSRFToken'):
abort(403)
配置CSRF豁免
某些路由可能需要豁免CSRF验证,例如API端点。Flask-WTF和Flask-SeaSurf都支持豁免特定路由。
@csrf.exempt
@app.route('/api/submit', methods=['POST'])
def api_submit():
return 'CSRF exempted route'
通过以上方法,可以有效地在Flask项目中实现CSRF防护,确保应用的安全性。
BbS.okacop092.info/PoSt/1120_740730.HtM
BbS.okacop093.info/PoSt/1120_194775.HtM
BbS.okacop094.info/PoSt/1120_288972.HtM
BbS.okacop095.info/PoSt/1120_052396.HtM
BbS.okacop096.info/PoSt/1120_868432.HtM
BbS.okacop097.info/PoSt/1120_404908.HtM
BbS.okacop098.info/PoSt/1120_728315.HtM
BbS.okacop099.info/PoSt/1120_374686.HtM
BbS.okacop114.info/PoSt/1120_311212.HtM
BbS.okacop829.info/PoSt/1120_403919.HtM
BbS.okacop092.info/PoSt/1120_696712.HtM
BbS.okacop093.info/PoSt/1120_256749.HtM
BbS.okacop094.info/PoSt/1120_898271.HtM
BbS.okacop095.info/PoSt/1120_805703.HtM
BbS.okacop096.info/PoSt/1120_805243.HtM
BbS.okacop097.info/PoSt/1120_239291.HtM
BbS.okacop098.info/PoSt/1120_096106.HtM
BbS.okacop099.info/PoSt/1120_796847.HtM
BbS.okacop114.info/PoSt/1120_024686.HtM
BbS.okacop829.info/PoSt/1120_244470.HtM
BbS.okacop092.info/PoSt/1120_726016.HtM
BbS.okacop093.info/PoSt/1120_506474.HtM
BbS.okacop094.info/PoSt/1120_874669.HtM
BbS.okacop095.info/PoSt/1120_923213.HtM
BbS.okacop096.info/PoSt/1120_470936.HtM
BbS.okacop097.info/PoSt/1120_237147.HtM
BbS.okacop098.info/PoSt/1120_043034.HtM
BbS.okacop099.info/PoSt/1120_475425.HtM
BbS.okacop114.info/PoSt/1120_494896.HtM
BbS.okacop829.info/PoSt/1120_892600.HtM
BbS.okacop092.info/PoSt/1120_949696.HtM
BbS.okacop093.info/PoSt/1120_897215.HtM
BbS.okacop094.info/PoSt/1120_508703.HtM
BbS.okacop095.info/PoSt/1120_363940.HtM
BbS.okacop096.info/PoSt/1120_006145.HtM
BbS.okacop097.info/PoSt/1120_170211.HtM
BbS.okacop098.info/PoSt/1120_133422.HtM
BbS.okacop099.info/PoSt/1120_403476.HtM
BbS.okacop114.info/PoSt/1120_052136.HtM
BbS.okacop829.info/PoSt/1120_923621.HtM
BbS.okacop092.info/PoSt/1120_417407.HtM
BbS.okacop093.info/PoSt/1120_717942.HtM
BbS.okacop094.info/PoSt/1120_908060.HtM
BbS.okacop095.info/PoSt/1120_311617.HtM
BbS.okacop096.info/PoSt/1120_079149.HtM
BbS.okacop097.info/PoSt/1120_648250.HtM
BbS.okacop098.info/PoSt/1120_426110.HtM
BbS.okacop099.info/PoSt/1120_422180.HtM
BbS.okacop114.info/PoSt/1120_340222.HtM
BbS.okacop829.info/PoSt/1120_956554.HtM
BbS.okacop000.info/PoSt/1120_142327.HtM
BbS.okacop001.info/PoSt/1120_188979.HtM
BbS.okacop002.info/PoSt/1120_992510.HtM
BbS.okacop003.info/PoSt/1120_389482.HtM
BbS.okacop004.info/PoSt/1120_984236.HtM
BbS.okacop005.info/PoSt/1120_902292.HtM
BbS.okacop006.info/PoSt/1120_706520.HtM
BbS.okacop007.info/PoSt/1120_509216.HtM
BbS.okacop008.info/PoSt/1120_236487.HtM
BbS.okacop009.info/PoSt/1120_866497.HtM
BbS.okacop000.info/PoSt/1120_422740.HtM
BbS.okacop001.info/PoSt/1120_916333.HtM
BbS.okacop002.info/PoSt/1120_078517.HtM
BbS.okacop003.info/PoSt/1120_035847.HtM
BbS.okacop004.info/PoSt/1120_480231.HtM
BbS.okacop005.info/PoSt/1120_563367.HtM
BbS.okacop006.info/PoSt/1120_319715.HtM
BbS.okacop007.info/PoSt/1120_788112.HtM
BbS.okacop008.info/PoSt/1120_490597.HtM
BbS.okacop009.info/PoSt/1120_168953.HtM
BbS.okacop000.info/PoSt/1120_872990.HtM
BbS.okacop001.info/PoSt/1120_738888.HtM
BbS.okacop002.info/PoSt/1120_703366.HtM
BbS.okacop003.info/PoSt/1120_642289.HtM
BbS.okacop004.info/PoSt/1120_098546.HtM
BbS.okacop005.info/PoSt/1120_523067.HtM
BbS.okacop006.info/PoSt/1120_707210.HtM
BbS.okacop007.info/PoSt/1120_542499.HtM
BbS.okacop008.info/PoSt/1120_847975.HtM
BbS.okacop009.info/PoSt/1120_251277.HtM
哔哩哔哩公司福利 876人发布