.. .. META INFORMATION OF TRANSLATION .. .. $TranslationStatus: Done, waiting for revision. $ .. $OriginalRevision: 11348 $ .. $TranslationAuthors: Robson Mendonça $ .. .. INFO OF THIS FILE (DO NOT EDIT! UPDATED BY SUBVERSION) .. .. $HeadURL$ .. $LastChangedRevision$ .. $LastChangedBy$ .. $LastChangedDate$ .. ==================================== Proteção Cross Site Request Forgery ==================================== .. module:: django.contrib.csrf :synopsis: Protege contra Cross Site Request Forgeries A middleware e tag de template Csrf fornecem uma proteção fácil de usar contra `Requisições Cross Site falsas`_. Esse tipo de ataque ocorre quando um website malicioso cria um link ou um botão de formulário que é destinado a executar alguma ação sobre seu site, usando credenciais de um usuário logado que pode ser enganado ao clicar em um link no seu navegador. A related type of attack, 'login CSRF', where an attacking site tricks a user's browser into logging into a site with someone else's credentials, is also covered. A primeira defesa contra ataques CSRF é assegurar que requisições GET são livres de efeitos colaterais. Requisições POST podem então ser protegidas por este middleware, adicionando-o em sua lista de middlewares instalados. .. versionadded:: 1.2 The 'contrib' apps, including the admin, use the functionality described here. Because it is security related, a few things have been added to core functionality to allow this to happen without any required upgrade steps. .. _Requisições Cross Site falsas: http://www.squarefree.com/securitytips/web-developers.html#CSRF Como usá-lo =========== .. versionchanged:: 1.2 The template tag functionality (the recommended way to use this) was added in version 1.2. The previous method (still available) is described under `Legacy method`_. To enable CSRF protection for your views, follow these steps: 1. Add the middleware ``'django.middleware.csrf.CsrfViewMiddleware'`` to your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. (It should come before ``CsrfResponseMiddleware`` if that is being used, and before any view middleware that assume that CSRF attacks have been dealt with.) Alternatively, you can use the decorator ``django.views.decorators.csrf.csrf_protect`` on particular views you want to protect (see below). 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``