An introduction to Tornado's method of preventing cross-site attacks in Python

This article brings you an introduction to Tornado’s method of preventing cross-site attacks in Python. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

Cross-site request forgery (CSRF or XSRF) is a malicious use of a website. Through CSRF, attackers can assume the user's identity and perform malicious operations without the user's knowledge.

1. CSRF attack principle

The following figure shows the basic principle of CSRF. Site1 is a website with CSRF vulnerabilities, and SIte2 is a malicious website with attacks.

The content of the above picture is analyzed as follows:

• The user first visited Site1, a website with CSRF vulnerabilities, successfully logged in and obtained cookies. After that, all The user's visit to Site1 will carry Site1's cookie, so it is considered a valid operation by Site1.

• At this time, the user visited Site2, a site with offensive behavior, and the return page of Site2 contained a link to access Site1 for malicious operations, but it was disguised as legitimate content. , for example, the following hyperlink looks like a lottery information, but it actually wants to submit a withdrawal request to the Site1 site

<a>
三百万元抽奖，免费拿
</a>

• Once the user clicks on the malicious link, A request was sent to the Site1 site without your knowledge. Because the user has logged in to Site1 before and has not logged out, when Site1 receives the user's request and the accompanying cookie, it will consider the request to be a normal request sent by the user. At this point, the purpose of the malicious site has been achieved.

2. Use Tornado to prevent CSRF attacks

In order to prevent CSRF attacks, each request is required to include a parameter value as the matching storage of the token The corresponding value in the cookie.

Tornado applications can provide tokens to the page through a Cookie header and a hidden HTML form element. This way, when the form for a legitimate page is submitted, it will include the form values ​​and the stored cookies. If the two match, the Tornado application approval request is valid.

Enabling Tornado’s CSRF prevention function requires two steps.

[1] Pass in the xsrf_cookies=True parameter when instantiating tornado.web.Application, that is:

application=tornado.web.Application([
(r'/',MainHandler),
],
cookie_secret='DONT_LEAK_SECRET',
xsrf_cookies=True,
)

or:

settings={
"cookie_secret":"DONT_LEAK_SECRET",
"xsrf_cookies":True
}

application=tornado.web.Application([
(r'/',MainHandler),
],**settings)

When tornado.web.Application needs When there are too many initialized parameters, you can pass in named parameters in the form of a setting dictionary like this example

[2] In each template file with HTML expression, add xsrf_form_html() function tags to all forms. For example:

{% module xsrf_form_html() %}

The {% module xsrf_form_html() %} here plays the role of adding hidden elements to the form to prevent cross-site requests.

Tornado's secure cookie support and XSRF prevention framework reduce a lot of burdens on application developers. Without them, developers need to think about many detailed prevention measures, so Tornado's built-in security features are also very useful.

The above is the detailed content of An introduction to Tornado's method of preventing cross-site attacks in Python. For more information, please follow other related articles on the PHP Chinese website!