Securing a GET Request in a Django Web Application

Question

Securing a GET Request in a Django Web Application

How to protect a specific GET request (for example:) ^api/...?

I want this view (API call) to be available only for my Django web application.

It should only be called through the Django web application, not directly.

Is it good to use the hash key generated by CSRF Middle-ware? Is there a better approach?

+5

python rest api django

abhiomkar Feb 02 '13 at 12:05

source share

2 answers

santiagobasulto · Answer 1 · 2013-02-02T15:06:55+0000

I am afraid that there are no reliable ways to achieve this. The best way I can think of is to generate some kind of secret key in your javascript client and use this code. This will make it difficult to use your methods with a certificate. Perhaps using HMAC, or something like that.

. : /api/users/1/vote_up. :

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/hmac-sha256.js">

var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, generatePassphraseObfuscated());
hmac.update("/api/users/1/vote_up");
var hash = hmac.finalize();
$.ajax(
    /api/users/1/vote_up,
    {hash: hash}
)
</script>

generatePassphraseObfuscated - . . , cookie "", . , :

function generatePassphraseObfuscated(){
    return 1;
}

function generatePassphraseObfuscated(){
    return 2;
}

cookie. , , django.

, , , . .

msc · Answer 2 · 2013-02-02T14:32:40+0000

, , , . , , request.META['REMOTE_ADDR'] .

Securing a GET Request in a Django Web Application

More articles: