开发者

CSRF exempt for iphone Posting to Django site

I have a w开发者_如何转开发eb form that is used by users to post onto my site. I would like to use the same django view to handle post requests made by the iPhone. Since i have CSRF middleware set in Django, the iPhone app cannot post. I read a few posts and they mention to make csrf exempt for the particular view. Is this the standard solution? Does that mean all sites that allow users to post via iphone are vulnerable to csrf attacks?


Any form that can be posted by a machine (e.g. an iOS App) is susceptible to CSRF.

There's no way around it. If you can code it in Objective-C someone else can code it in JS.

The "standard" way to solve this problem would be to create a separate API for the iPhone to use. Users fill out the form and send it. The iPhone talks directly to the dedicated API and circumvents the form altogether.

To secure the iPhone API from unauthorized access you have two main options:

1) Send the API requests over HTTPS and password protect them

2) Embed an SSL certificate in your APP and do an SSL handshake with two-way authentication between the device and the server.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜