I was reading this page on how to add a favicon to a Django website. In this article, the following code is presented to serve a favicon from the project root:
@require_GET
@cache_control(max_age=60 * 60 * 24, immutable=True, public=True) # one day
def favicon(request: HttpRequest) -> HttpResponse:
if settings.DEBUG:
name = "favicon-debug.png"
else:
name = "favicon.png"
file = (settings.BASE_DIR / "static" / name).open("rb")
return FileResponse(file)
I understand the @require_GET
decorator will ensure this "page" (or this case just an image, really) can only be opened using a GET request. But I wonder, given that all we output here is just a static image, is there any value in doing so? Why would this decorator be there?
CodePudding user response:
It's certainly not going to hurt, but it definitely isn't necessary. In your case, your favicon()
method only serves one function and will only ever execute in one way. Therefore, the decorator is pretty much entirely superfluous.
The author likely just put it there because they heard it was "best practice". They probably also had been using it for all their other views.
Here's a more complete explanation on the Security Stack Exchange: https://security.stackexchange.com/questions/199776/why-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic.