Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Tree: 756c390fb5
Branches Tags
django
/
docs
/
ref
/
middleware.txt

middleware.txt 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310 
  1. ==========
    2. 

  2. Middleware
    3. 

  3. ==========
    4. 

  4. 

  5. .. module:: django.middleware
    6. 

  6.    :synopsis: Django's built-in middleware classes.
    7. 

  7. 

  8. This document explains all middleware components that come with Django. For
    9. 

  9. information on how to use them and how to write your own middleware, see
    10. 

  10. the :doc:`middleware usage guide </topics/http/middleware>`.
    11. 

  11. 

  12. Available middleware
    13. 

  13. ====================
    14. 

  14. 

  15. Cache middleware
    16. 

  16. ----------------
    17. 

  17. 

  18. .. module:: django.middleware.cache
    19. 

  19.    :synopsis: Middleware for the site-wide cache.
    20. 

  20. 

  21. .. class:: UpdateCacheMiddleware
    22. 

  22. 

  23. .. class:: FetchFromCacheMiddleware
    24. 

  24. 

  25. Enable the site-wide cache. If these are enabled, each Django-powered page will
    26. 

  26. be cached for as long as the :setting:`CACHE_MIDDLEWARE_SECONDS` setting
    27. 

  27. defines. See the :doc:`cache documentation </topics/cache>`.
    28. 

  28. 

  29. "Common" middleware
    30. 

  30. -------------------
    31. 

  31. 

  32. .. module:: django.middleware.common
    33. 

  33.    :synopsis: Middleware adding "common" conveniences for perfectionists.
    34. 

  34. 

  35. .. class:: CommonMiddleware
    36. 

  36. 

  37. Adds a few conveniences for perfectionists:
    38. 

  38. 

  39. * Forbids access to user agents in the :setting:`DISALLOWED_USER_AGENTS`
    40. 

  40.   setting, which should be a list of compiled regular expression objects.
    41. 

  41. 

  42. * Performs URL rewriting based on the :setting:`APPEND_SLASH` and
    43. 

  43.   :setting:`PREPEND_WWW` settings.
    44. 

  44. 

  45.   If :setting:`APPEND_SLASH` is ``True`` and the initial URL doesn't end
    46. 

  46.   with a slash, and it is not found in the URLconf, then a new URL is
    47. 

  47.   formed by appending a slash at the end. If this new URL is found in the
    48. 

  48.   URLconf, then Django redirects the request to this new URL. Otherwise,
    49. 

  49.   the initial URL is processed as usual.
    50. 

  50. 

  51.   For example, ``foo.com/bar`` will be redirected to ``foo.com/bar/`` if
    52. 

  52.   you don't have a valid URL pattern for ``foo.com/bar`` but *do* have a
    53. 

  53.   valid pattern for ``foo.com/bar/``.
    54. 

  54. 

  55.   If :setting:`PREPEND_WWW` is ``True``, URLs that lack a leading "www."
    56. 

  56.   will be redirected to the same URL with a leading "www."
    57. 

  57. 

  58.   Both of these options are meant to normalize URLs. The philosophy is that
    59. 

  59.   each URL should exist in one, and only one, place. Technically a URL
    60. 

  60.   ``foo.com/bar`` is distinct from ``foo.com/bar/`` -- a search-engine
    61. 

  61.   indexer would treat them as separate URLs -- so it's best practice to
    62. 

  62.   normalize URLs.
    63. 

  63. 

  64. * Handles ETags based on the :setting:`USE_ETAGS` setting. If
    65. 

  65.   :setting:`USE_ETAGS` is set to ``True``, Django will calculate an ETag
    66. 

  66.   for each request by MD5-hashing the page content, and it'll take care of
    67. 

  67.   sending ``Not Modified`` responses, if appropriate.
    68. 

  68. 

  69. .. class:: BrokenLinkEmailsMiddleware
    70. 

  70. 

  71. * Sends broken link notification emails to :setting:`MANAGERS` (see
    72. 

  72.   :doc:`/howto/error-reporting`).
    73. 

  73. 

  74. GZip middleware
    75. 

  75. ---------------
    76. 

  76. 

  77. .. module:: django.middleware.gzip
    78. 

  78.    :synopsis: Middleware to serve GZipped content for performance.
    79. 

  79. 

  80. .. class:: GZipMiddleware
    81. 

  81. 

  82. .. warning::
    83. 

  83. 

  84.     Security researchers recently revealed that when compression techniques
    85. 

  85.     (including ``GZipMiddleware``) are used on a website, the site becomes
    86. 

  86.     exposed to a number of possible attacks. These approaches can be used to
    87. 

  87.     compromise, among other things, Django's CSRF protection. Before using
    88. 

  88.     ``GZipMiddleware`` on your site, you should consider very carefully whether
    89. 

  89.     you are subject to these attacks. If you're in *any* doubt about whether
    90. 

  90.     you're affected, you should avoid using ``GZipMiddleware``. For more
    91. 

  91.     details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
    92. 

  92. 

  93.     .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
    94. 

  94.     .. _breachattack.com: http://breachattack.com
    95. 

  95. 

  96. Compresses content for browsers that understand GZip compression (all modern
    97. 

  97. browsers).
    98. 

  98. 

  99. This middleware should be placed before any other middleware that need to
    100. 

  100. read or write the response body so that compression happens afterward.
    101. 

  101. 

  102. It will NOT compress content if any of the following are true:
    103. 

  103. 

  104. * The content body is less than 200 bytes long.
    105. 

  105. 

  106. * The response has already set the ``Content-Encoding`` header.
    107. 

  107. 

  108. * The request (the browser) hasn't sent an ``Accept-Encoding`` header
    109. 

  109.   containing ``gzip``.
    110. 

  110. 

  111. * The request is from Internet Explorer and the ``Content-Type`` header
    112. 

  112.   contains ``javascript`` or starts with anything other than ``text/``.
    113. 

  113.   We do this to avoid a bug in early versions of IE that caused decompression
    114. 

  114.   not to be performed on certain content types.
    115. 

  115. 

  116. You can apply GZip compression to individual views using the
    117. 

  117. :func:`~django.views.decorators.gzip.gzip_page()` decorator.
    118. 

  118. 

  119. Conditional GET middleware
    120. 

  120. --------------------------
    121. 

  121. 

  122. .. module:: django.middleware.http
    123. 

  123.    :synopsis: Middleware handling advanced HTTP features.
    124. 

  124. 

  125. .. class:: ConditionalGetMiddleware
    126. 

  126. 

  127. Handles conditional GET operations. If the response has a ``ETag`` or
    128. 

  128. ``Last-Modified`` header, and the request has ``If-None-Match`` or
    129. 

  129. ``If-Modified-Since``, the response is replaced by an
    130. 

  130. :class:`~django.http.HttpResponseNotModified`.
    131. 

  131. 

  132. Also sets the ``Date`` and ``Content-Length`` response-headers.
    133. 

  133. 

  134. Reverse proxy middleware
    135. 

  135. ------------------------
    136. 

  136. 

  137. .. class:: SetRemoteAddrFromForwardedFor
    138. 

  138. 

  139. This middleware was removed in Django 1.1. See :ref:`the release notes
    140. 

  140. <removed-setremoteaddrfromforwardedfor-middleware>` for details.
    141. 

  141. 

  142. Locale middleware
    143. 

  143. -----------------
    144. 

  144. 

  145. .. module:: django.middleware.locale
    146. 

  146.    :synopsis: Middleware to enable language selection based on the request.
    147. 

  147. 

  148. .. class:: LocaleMiddleware
    149. 

  149. 

  150. Enables language selection based on data from the request. It customizes
    151. 

  151. content for each user. See the :doc:`internationalization documentation
    152. 

  152. </topics/i18n/translation>`.
    153. 

  153. 

  154. .. attribute:: LocaleMiddleware.response_redirect_class
    155. 

  155. 

  156. Defaults to :class:`~django.http.HttpResponseRedirect`. Subclass
    157. 

  157. ``LocaleMiddleware`` and override the attribute to customize the redirects
    158. 

  158. issued by the middleware.
    159. 

  159. 

  160. Message middleware
    161. 

  161. ------------------
    162. 

  162. 

  163. .. module:: django.contrib.messages.middleware
    164. 

  164.    :synopsis: Message middleware.
    165. 

  165. 

  166. .. class:: MessageMiddleware
    167. 

  167. 

  168. Enables cookie- and session-based message support. See the
    169. 

  169. :doc:`messages documentation </ref/contrib/messages>`.
    170. 

  170. 

  171. Session middleware
    172. 

  172. ------------------
    173. 

  173. 

  174. .. module:: django.contrib.sessions.middleware
    175. 

  175.    :synopsis: Session middleware.
    176. 

  176. 

  177. .. class:: SessionMiddleware
    178. 

  178. 

  179. Enables session support. See the :doc:`session documentation
    180. 

  180. </topics/http/sessions>`.
    181. 

  181. 

  182. Site middleware
    183. 

  183. ---------------
    184. 

  184. 

  185. .. module:: django.contrib.sites.middleware
    186. 

  186.   :synopsis: Site middleware.
    187. 

  187. 

  188. .. class:: CurrentSiteMiddleware
    189. 

  189. 

  190. .. versionadded:: 1.7
    191. 

  191. 

  192. Adds the ``site`` attribute representing the current site to every incoming
    193. 

  193. ``HttpRequest`` object. See the :ref:`sites documentation <site-middleware>`.
    194. 

  194. 

  195. Authentication middleware
    196. 

  196. -------------------------
    197. 

  197. 

  198. .. module:: django.contrib.auth.middleware
    199. 

  199.   :synopsis: Authentication middleware.
    200. 

  200. 

  201. .. class:: AuthenticationMiddleware
    202. 

  202. 

  203. Adds the ``user`` attribute, representing the currently-logged-in user, to
    204. 

  204. every incoming ``HttpRequest`` object. See :ref:`Authentication in Web requests
    205. 

  205. <auth-web-requests>`.
    206. 

  206. 

  207. .. class:: RemoteUserMiddleware
    208. 

  208. 

  209. Middleware for utilizing Web server provided authentication. See
    210. 

  210. :doc:`/howto/auth-remote-user` for usage details.
    211. 

  211. 

  212. .. class:: SessionAuthenticationMiddleware
    213. 

  213. 

  214. .. versionadded:: 1.7
    215. 

  215. 

  216. Allows a user's sessions to be invalidated when their password changes. See
    217. 

  217. :ref:`session-invalidation-on-password-change` for details. This middleware must
    218. 

  218. appear after :class:`django.contrib.auth.middleware.AuthenticationMiddleware`
    219. 

  219. in :setting:`MIDDLEWARE_CLASSES`.
    220. 

  220. 

  221. CSRF protection middleware
    222. 

  222. --------------------------
    223. 

  223. 

  224. .. module:: django.middleware.csrf
    225. 

  225.    :synopsis: Middleware adding protection against Cross Site Request
    226. 

  226.               Forgeries.
    227. 

  227. 

  228. .. class:: CsrfViewMiddleware
    229. 

  229. 

  230. Adds protection against Cross Site Request Forgeries by adding hidden form
    231. 

  231. fields to POST forms and checking requests for the correct value. See the
    232. 

  232. :doc:`Cross Site Request Forgery protection documentation </ref/contrib/csrf>`.
    233. 

  233. 

  234. X-Frame-Options middleware
    235. 

  235. --------------------------
    236. 

  236. 

  237. .. module:: django.middleware.clickjacking
    238. 

  238.    :synopsis: Clickjacking protection
    239. 

  239. 

  240. .. class:: XFrameOptionsMiddleware
    241. 

  241. 

  242. Simple :doc:`clickjacking protection via the X-Frame-Options header </ref/clickjacking/>`.
    243. 

  243. 

  244. .. _middleware-ordering:
    245. 

  245. 

  246. Middleware ordering
    247. 

  247. ===================
    248. 

  248. 

  249. Here are some hints about the ordering of various Django middleware classes:
    250. 

  250. 

  251. #. :class:`~django.middleware.cache.UpdateCacheMiddleware`
    252. 

  252. 

  253.    Before those that modify the ``Vary`` header (``SessionMiddleware``,
    254. 

  254.    ``GZipMiddleware``, ``LocaleMiddleware``).
    255. 

  255. 

  256. #. :class:`~django.middleware.gzip.GZipMiddleware`
    257. 

  257. 

  258.    Before any middleware that may change or use the response body.
    259. 

  259. 

  260.    After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
    261. 

  261. 

  262. #. :class:`~django.middleware.http.ConditionalGetMiddleware`
    263. 

  263. 

  264.    Before ``CommonMiddleware``: uses its ``Etag`` header when
    265. 

  265.    :setting:`USE_ETAGS` = ``True``.
    266. 

  266. 

  267. #. :class:`~django.contrib.sessions.middleware.SessionMiddleware`
    268. 

  268. 

  269.    After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
    270. 

  270. 

  271. #. :class:`~django.middleware.locale.LocaleMiddleware`
    272. 

  272. 

  273.    One of the topmost, after ``SessionMiddleware`` (uses session data) and
    274. 

  274.    ``CacheMiddleware`` (modifies ``Vary`` header).
    275. 

  275. 

  276. #. :class:`~django.middleware.common.CommonMiddleware`
    277. 

  277. 

  278.    Before any middleware that may change the response (it calculates ``ETags``).
    279. 

  279. 

  280.    After ``GZipMiddleware`` so it won't calculate an ``ETag`` header on gzipped
    281. 

  281.    contents.
    282. 

  282. 

  283.    Close to the top: it redirects when :setting:`APPEND_SLASH` or
    284. 

  284.    :setting:`PREPEND_WWW` are set to ``True``.
    285. 

  285. 

  286. #. :class:`~django.middleware.csrf.CsrfViewMiddleware`
    287. 

  287. 

  288.    Before any view middleware that assumes that CSRF attacks have been dealt
    289. 

  289.    with.
    290. 

  290. 

  291. #. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
    292. 

  292. 

  293.    After ``SessionMiddleware``: uses session storage.
    294. 

  294. 

  295. #. :class:`~django.contrib.messages.middleware.MessageMiddleware`
    296. 

  296. 

  297.    After ``SessionMiddleware``: can use session-based storage.
    298. 

  298. 

  299. #. :class:`~django.middleware.cache.FetchFromCacheMiddleware`
    300. 

  300. 

  301.    After any middleware that modifies the ``Vary`` header: that header is used
    302. 

  302.    to pick a value for the cache hash-key.
    303. 

  303. 

  304. #. :class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware`
    305. 

  305. 

  306.    Should be near the bottom as it's a last-resort type of middleware.
    307. 

  307. 

  308. #. :class:`~django.contrib.redirects.middleware.RedirectFallbackMiddleware`
    309. 

  309. 

  310.    Should be near the bottom as it's a last-resort type of middleware.
    311.