def insert_spoofed_https_csrf_headers(headers, base_url):
"""
Creates HTTP headers that help to work around Django's CSRF protection, which shouldn't apply
outside of the browser context.
:param headers: a dictionary into which headers will be inserted, if needed
:param base_url: the base URL of the Django application being contacted
"""
# if connecting to Django/DRF via HTTPS, spoof the 'Host' and 'Referer' headers that Django
# uses to help prevent cross-site scripting attacks for secure browser connections. This
# should be OK for a standalone Python REST API client, since the origin of a
# cross-site scripting attack is malicious website code that executes in a browser,
# but accesses another site's credentials via the browser or via user prompts within the
# browser. Not applicable in this case for a standalone REST API client.
# References:
# https://docs.djangoproject.com/en/dev/ref/csrf/#how-it-works
# http://security.stackexchange.com/questions/96114/why-is-referer-checking-needed-for-django
# http://mathieu.fenniak.net/is-your-web-api-susceptible-to-a-csrf-exploit/
# -to-prevent-csrf
if urlparse(base_url).scheme == 'https':
headers['Host'] = urlsplit(base_url).netloc
headers['Referer'] = base_url # LOL! Bad spelling is now standard :-)
评论列表
文章目录
