csrf

Why does the Same Origin Policy not block POST requests? [duplicate]

三世轮回 提交于 2020-12-13 04:52:42
问题 This question already has answers here : Why aren't POST requests always preflighted? (1 answer) Why is there no preflight in CORS for POST requests with standard content-type (1 answer) Closed last month . I understand that cross-origin, "simple" requests, like GET and POST have always been allowed (but you just can't view the response), and that PUT/DELETE are blocked, or preflighted if your browser supports CORS. I understand that allowing a GET request to be sent is harmless, as long as

django posts receive CSRF verification failed after switching to load balancer

删除回忆录丶 提交于 2020-12-12 05:10:43
问题 I have a working login template that does a post and looks like: <form action="" method="post"> {% csrf_token %} <br> {{form.email}} <div class="text-center"> <button type="submit">Login</i></button> </div> </form> My SSL settings look like: ssl SECURE_SSL_REDIRECT = False SECURE_HSTS_SECONDS = 3600 SESSION_COOKIE_SECURE = False SECURE_PROXY_SSL_HEADER = None CSRF_COOKIE_SECURE = False I made two changes. I switched to an aws ec2 elastic load balancer and from https to http. Now I am getting

跨站请求伪造 (CSRF)

我的未来我决定 提交于 2020-12-06 12:36:52
跨站请求伪造 (CSRF) CSRF与跨站脚本(XSS)非常相似, 只有一个非常重要的不同之处。XSS利用客户端的弱点,而CSRF利用的是网站服务器的弱点。 按照OWASP, “一个CSRF袭击迫使某个登录的浏览器向易受攻击的Web应用发送一个请求,然后以受害者的名义,为入侵者的利益进行所选择的行动”(“OWASP Top 10”, 2007 (RC1), 19页)。 这段描述的关键部分是“强迫已登录的”受害者发送请求。攻击者利用网站对目标用户的信任。这意味着如果攻击取得成功,攻击者就能代表用户执行以下行为: ◆购买商品 ◆转账 ◆运行恶意软件,留下很少或不留下查明真实攻击者的痕迹 ◆进行股票交易 ◆订阅在线服务 CSRF并不是一个简单的问题。据ha.ckers.org创立者rsnake称,互联网上有太多CSRF脆弱性需要注意(Kelly Jackson Higgins,“CSRF脆弱性:‘一个沉睡的巨人’”,darkReading,2006年10月17日)。WhiteHat Security的建立者Jeremiah Grossman也赞同这个观点,他指出:“由于工作机制与Web相似,[CRSF]并不被看作是一个脆弱性”(同上)。 那么其工作原理是什么呢?HTML镜像标签和JavaScript镜像对象是CSRF最常用的两个路径

Disable CSRF protection for specific URL pattern in Spring Boot

耗尽温柔 提交于 2020-12-04 18:05:01
问题 I use Spring Boot and Spring Security to create my web project. I want to disable CSRF protection for a specific URL pattern to provide API for Android devices. Using How to disable CSRF in Spring Security 4 only for specific URL pattern through XML configuration and the first method of Spring Boot: enable the CSRF check selectively only for some requests, I wrote the following config: package com.hnu.tutorial.configs; import org.springframework.boot.autoconfigure.security.SecurityProperties;

Disable CSRF protection for specific URL pattern in Spring Boot

南楼画角 提交于 2020-12-04 18:02:57
问题 I use Spring Boot and Spring Security to create my web project. I want to disable CSRF protection for a specific URL pattern to provide API for Android devices. Using How to disable CSRF in Spring Security 4 only for specific URL pattern through XML configuration and the first method of Spring Boot: enable the CSRF check selectively only for some requests, I wrote the following config: package com.hnu.tutorial.configs; import org.springframework.boot.autoconfigure.security.SecurityProperties;
订阅 csrf