玩蛇网提供最新Python编程技术信息以及Python资源下载!

请问django csrf文档中下面句话应该如何理解

https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

我试着翻译了一下:
另外,对于https请求,CsrfViewMiddleware执行了严格的referer检查。在https下session无关的场合,强调可能发生中间人攻击是有必要的,因为在https下和网站通信,HTTP的‘Set-Cookie’头(不幸)被客户端接收。(对于http请求不需要做referer 检测,因为呈现的Referer头不是足够可信的)

但不太理解是什么意思?

另外,对于https请求,CsrfViewMiddleware执行了严格的referer检查。
(不但检查csrf cookie,还检查http header里的referer)
这是为了解决https下中间人攻击带来的一个问题。
因为在https下和网站通信,HTTP的‘Set-Cookie’头(不幸)被客户端接收。(对于http请求不需要做referer 检测,因为呈现的Referer头不是足够可信的)
(就是说在https下,受到中间人攻击时,csrf cookie可能被截获。要同时检查referer来确保安全)

玩蛇网文章,转载请注明出处和文章网址:https://www.iplaypy.com/wenda/wd18906.html

相关文章 Recommend

玩蛇网Python互助QQ群,欢迎加入-->: 106381465 玩蛇网Python新手群
修订日期:2017年05月19日 - 15时39分37秒 发布自玩蛇网

您现在的位置: 玩蛇网首页 > Python问题解答 > 正文内容
我要分享到:

必知PYTHON教程 Must Know PYTHON Tutorials

必知PYTHON模块 Must Know PYTHON Modules