极客观点
项目管理
HarmonyOS
https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/
In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)
我试着翻译了一下:
另外,对于https请求,CsrfViewMiddleware执行了严格的referer检查。在https下session无关的场合,强调可能发生中间人攻击是有必要的,因为在https下和网站通信,HTTP的‘Set-Cookie’头(不幸)被客户端接收。(对于http请求不需要做referer 检测,因为呈现的Referer头不是足够可信的)
但不太理解是什么意思?
python
另外,对于https请求,CsrfViewMiddleware执行了严格的referer检查。
(不但检查csrf cookie,还检查http header里的referer)
这是为了解决https下中间人攻击带来的一个问题。
因为在https下和网站通信,HTTP的‘Set-Cookie’头(不幸)被客户端接收。(对于http请求不需要做referer 检测,因为呈现的Referer头不是足够可信的)
(就是说在https下,受到中间人攻击时,csrf cookie可能被截获。要同时检查referer来确保安全)