pyramid.csrf
¶
- class LegacySessionCSRFStoragePolicy[ソース]¶
A CSRF storage policy that defers control of CSRF storage to the session.
This policy maintains compatibility with legacy ISession implementations that know how to manage CSRF tokens themselves via
ISession.new_csrf_token
andISession.get_csrf_token
.Note that using this CSRF implementation requires that a session factory is configured.
バージョン 1.9 で追加.
- class SessionCSRFStoragePolicy(key='_csrft_')[ソース]¶
A CSRF storage policy that persists the CSRF token in the session.
Note that using this CSRF implementation requires that a session factory is configured.
key
The session key where the CSRF token will be stored. Default: _csrft_.
バージョン 1.9 で追加.
- class CookieCSRFStoragePolicy(cookie_name='csrf_token', secure=False, httponly=False, domain=None, max_age=None, path='/', samesite='Lax')[ソース]¶
An alternative CSRF implementation that stores its information in unauthenticated cookies, known as the 'Double Submit Cookie' method in the OWASP CSRF guidelines. This gives some additional flexibility with regards to scaling as the tokens can be generated and verified by a front-end server.
バージョン 1.9 で追加.
- get_csrf_token(request)[ソース]¶
Get the currently active CSRF token for the request passed, generating a new one using
new_csrf_token(request)
if one does not exist. This calls the equivalent method in the chosen CSRF protection implementation.バージョン 1.9 で追加.
- new_csrf_token(request)[ソース]¶
Generate a new CSRF token for the request passed and persist it in an implementation defined manner. This calls the equivalent method in the chosen CSRF protection implementation.
バージョン 1.9 で追加.
- check_csrf_origin(request, *, trusted_origins=None, allow_no_origin=False, raises=True)[ソース]¶
Check the
Origin
of the request to see if it is a cross site request or not.If the value supplied by the
Origin
orReferer
header isn't one of the trusted origins andraises
isTrue
, this function will raise apyramid.exceptions.BadCSRFOrigin
exception, but ifraises
isFalse
, this function will returnFalse
instead. If the CSRF origin checks are successful this function will returnTrue
unconditionally.Additional trusted origins may be added by passing a list of domain (and ports if non-standard like
['example.com', 'dev.example.com:8080']
) in with thetrusted_origins
parameter. Iftrusted_origins
isNone
(the default) this list of additional domains will be pulled from thepyramid.csrf_trusted_origins
setting.allow_no_origin
determines whether to returnTrue
when the origin cannot be determined via either theReferer
orOrigin
header. The default isFalse
which will reject the check.Note that this function will do nothing if
request.scheme
is nothttps
.バージョン 1.7 で追加.
バージョン 1.9 で変更: Moved from
pyramid.session
topyramid.csrf
バージョン 2.0 で変更: Added the
allow_no_origin
option.
- check_csrf_token(request, token='csrf_token', header='X-CSRF-Token', raises=True)[ソース]¶
Check the CSRF token returned by the
pyramid.interfaces.ICSRFStoragePolicy
implementation against the value inrequest.POST.get(token)
(if a POST request) orrequest.headers.get(header)
. If atoken
keyword is not supplied to this function, the stringcsrf_token
will be used to look up the token inrequest.POST
. If aheader
keyword is not supplied to this function, the stringX-CSRF-Token
will be used to look up the token inrequest.headers
.If the value supplied by post or by header cannot be verified by the
pyramid.interfaces.ICSRFStoragePolicy
, andraises
isTrue
, this function will raise anpyramid.exceptions.BadCSRFToken
exception. If the values differ andraises
isFalse
, this function will returnFalse
. If the CSRF check is successful, this function will returnTrue
unconditionally.See Checking CSRF Tokens Automatically for information about how to secure your application automatically against CSRF attacks.
バージョン 1.4a2 で追加.
バージョン 1.7a1 で変更: A CSRF token passed in the query string of the request is no longer considered valid. It must be passed in either the request body or a header.
バージョン 1.9 で変更: Moved from
pyramid.session
topyramid.csrf
and updated to use the configuredpyramid.interfaces.ICSRFStoragePolicy
to verify the CSRF token.