1
0
mirror of https://github.com/django/django.git synced 2025-10-26 15:16:09 +00:00

Fixed #20816 -- Added hints about Django middleware ordering

Thanks gthb Trac user for the report, kolypto StackOverflow
user for the initial list and Tim Graham for the review.
This commit is contained in:
Claude Paroz
2014-05-22 17:08:32 +02:00
parent beec05686c
commit 756c390fb5
2 changed files with 71 additions and 1 deletions

View File

@@ -240,3 +240,71 @@ X-Frame-Options middleware
.. class:: XFrameOptionsMiddleware .. class:: XFrameOptionsMiddleware
Simple :doc:`clickjacking protection via the X-Frame-Options header </ref/clickjacking/>`. Simple :doc:`clickjacking protection via the X-Frame-Options header </ref/clickjacking/>`.
.. _middleware-ordering:
Middleware ordering
===================
Here are some hints about the ordering of various Django middleware classes:
#. :class:`~django.middleware.cache.UpdateCacheMiddleware`
Before those that modify the ``Vary`` header (``SessionMiddleware``,
``GZipMiddleware``, ``LocaleMiddleware``).
#. :class:`~django.middleware.gzip.GZipMiddleware`
Before any middleware that may change or use the response body.
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
#. :class:`~django.middleware.http.ConditionalGetMiddleware`
Before ``CommonMiddleware``: uses its ``Etag`` header when
:setting:`USE_ETAGS` = ``True``.
#. :class:`~django.contrib.sessions.middleware.SessionMiddleware`
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
#. :class:`~django.middleware.locale.LocaleMiddleware`
One of the topmost, after ``SessionMiddleware`` (uses session data) and
``CacheMiddleware`` (modifies ``Vary`` header).
#. :class:`~django.middleware.common.CommonMiddleware`
Before any middleware that may change the response (it calculates ``ETags``).
After ``GZipMiddleware`` so it won't calculate an ``ETag`` header on gzipped
contents.
Close to the top: it redirects when :setting:`APPEND_SLASH` or
:setting:`PREPEND_WWW` are set to ``True``.
#. :class:`~django.middleware.csrf.CsrfViewMiddleware`
Before any view middleware that assumes that CSRF attacks have been dealt
with.
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
After ``SessionMiddleware``: uses session storage.
#. :class:`~django.contrib.messages.middleware.MessageMiddleware`
After ``SessionMiddleware``: can use session-based storage.
#. :class:`~django.middleware.cache.FetchFromCacheMiddleware`
After any middleware that modifies the ``Vary`` header: that header is used
to pick a value for the cache hash-key.
#. :class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware`
Should be near the bottom as it's a last-resort type of middleware.
#. :class:`~django.contrib.redirects.middleware.RedirectFallbackMiddleware`
Should be near the bottom as it's a last-resort type of middleware.

View File

@@ -45,7 +45,9 @@ The order in :setting:`MIDDLEWARE_CLASSES` matters because a middleware can
depend on other middleware. For instance, depend on other middleware. For instance,
:class:`~django.contrib.auth.middleware.AuthenticationMiddleware` stores the :class:`~django.contrib.auth.middleware.AuthenticationMiddleware` stores the
authenticated user in the session; therefore, it must run after authenticated user in the session; therefore, it must run after
:class:`~django.contrib.sessions.middleware.SessionMiddleware`. :class:`~django.contrib.sessions.middleware.SessionMiddleware`. See
:ref:`middleware-ordering` for some common hints about ordering of Django
middleware classes.
Hooks and application order Hooks and application order
=========================== ===========================