==========Middleware==========Middleware is a framework of hooks into Django's request/response processing.It's a light, low-level "plugin" system for globally altering Django's inputor output.Each middleware component is responsible for doing some specific function. Forexample, Django includes a middleware component,:class:`~django.contrib.auth.middleware.AuthenticationMiddleware`, thatassociates users with requests using sessions.This document explains how middleware works, how you activate middleware, andhow to write your own middleware. Django ships with some built-in middlewareyou can use right out of the box. They're documented in the :doc:`built-inmiddleware reference </ref/middleware>`.Writing your own middleware===========================A middleware factory is a callable that takes a ``get_response`` callable andreturns a middleware. A middleware is a callable that takes a request andreturns a response, just like a view.A middleware can be written as a function that looks like this::def simple_middleware(get_response):# One-time configuration and initialization.def middleware(request):# Code to be executed for each request before# the view (and later middleware) are called.response = get_response(request)# Code to be executed for each request/response after# the view is called.return responsereturn middlewareOr it can be written as a class whose instances are callable, like this::class SimpleMiddleware:def __init__(self, get_response):self.get_response = get_response# One-time configuration and initialization.def __call__(self, request):# Code to be executed for each request before# the view (and later middleware) are called.response = self.get_response(request)# Code to be executed for each request/response after# the view is called.return responseThe ``get_response`` callable provided by Django might be the actual view (ifthis is the last listed middleware) or it might be the next middleware in thechain. The current middleware doesn't need to know or care what exactly it is,just that it represents whatever comes next.The above is a slight simplification -- the ``get_response`` callable for thelast middleware in the chain won't be the actual view but rather a wrappermethod from the handler which takes care of applying :ref:`view middleware<view-middleware>`, calling the view with appropriate URL arguments, andapplying :ref:`template-response <template-response-middleware>` and:ref:`exception <exception-middleware>` middleware.Middleware can either support only synchronous Python (the default), onlyasynchronous Python, or both. See :ref:`async-middleware` for details of how toadvertise what you support, and know what kind of request you are getting.Middleware can live anywhere on your Python path.``__init__(get_response)``--------------------------Middleware factories must accept a ``get_response`` argument. You can alsoinitialize some global state for the middleware. Keep in mind a couple ofcaveats:* Django initializes your middleware with only the ``get_response`` argument,so you can't define ``__init__()`` as requiring any other arguments.* Unlike the ``__call__()`` method which is called once per request,``__init__()`` is called only *once*, when the web server starts.Marking middleware as unused----------------------------It's sometimes useful to determine at startup time whether a piece ofmiddleware should be used. In these cases, your middleware's ``__init__()``method may raise :exc:`~django.core.exceptions.MiddlewareNotUsed`. Django willthen remove that middleware from the middleware process and log a debug messageto the :ref:`django-request-logger` logger when :setting:`DEBUG` is ``True``.Activating middleware=====================To activate a middleware component, add it to the :setting:`MIDDLEWARE` list inyour Django settings.In :setting:`MIDDLEWARE`, each middleware component is represented by a string:the full Python path to the middleware factory's class or function name. Forexample, here's the default value created by :djadmin:`django-adminstartproject <startproject>`::MIDDLEWARE = ['django.middleware.security.SecurityMiddleware','django.contrib.sessions.middleware.SessionMiddleware','django.middleware.common.CommonMiddleware','django.middleware.csrf.CsrfViewMiddleware','django.contrib.auth.middleware.AuthenticationMiddleware','django.contrib.messages.middleware.MessageMiddleware','django.middleware.clickjacking.XFrameOptionsMiddleware',]A Django installation doesn't require any middleware — :setting:`MIDDLEWARE`can be empty, if you'd like — but it's strongly suggested that you at least use:class:`~django.middleware.common.CommonMiddleware`.The order in :setting:`MIDDLEWARE` matters because a middleware can depend onother middleware. For instance,:class:`~django.contrib.auth.middleware.AuthenticationMiddleware` stores theauthenticated user in the session; therefore, it must run after:class:`~django.contrib.sessions.middleware.SessionMiddleware`. See:ref:`middleware-ordering` for some common hints about ordering of Djangomiddleware classes.Middleware order and layering=============================During the request phase, before calling the view, Django applies middleware inthe order it's defined in :setting:`MIDDLEWARE`, top-down.You can think of it like an onion: each middleware class is a "layer" thatwraps the view, which is in the core of the onion. If the request passesthrough all the layers of the onion (each one calls ``get_response`` to passthe request in to the next layer), all the way to the view at the core, theresponse will then pass through every layer (in reverse order) on the way backout.If one of the layers decides to short-circuit and return a response withoutever calling its ``get_response``, none of the layers of the onion inside thatlayer (including the view) will see the request or the response. The responsewill only return through the same layers that the request passed in through.Other middleware hooks======================Besides the basic request/response middleware pattern described earlier, youcan add three other special methods to class-based middleware:.. _view-middleware:``process_view()``------------------.. method:: process_view(request, view_func, view_args, view_kwargs)``request`` is an :class:`~django.http.HttpRequest` object. ``view_func`` isthe Python function that Django is about to use. (It's the actual functionobject, not the name of the function as a string.) ``view_args`` is a list ofpositional arguments that will be passed to the view, and ``view_kwargs`` is adictionary of keyword arguments that will be passed to the view. Neither``view_args`` nor ``view_kwargs`` include the first view argument(``request``).``process_view()`` is called just before Django calls the view.It should return either ``None`` or an :class:`~django.http.HttpResponse`object. If it returns ``None``, Django will continue processing this request,executing any other ``process_view()`` middleware and, then, the appropriateview. If it returns an :class:`~django.http.HttpResponse` object, Django won'tbother calling the appropriate view; it'll apply response middleware to that:class:`~django.http.HttpResponse` and return the result... note::Accessing :attr:`request.POST <django.http.HttpRequest.POST>` insidemiddleware before the view runs or in ``process_view()`` will prevent anyview running after the middleware from being able to :ref:`modify theupload handlers for the request <modifying_upload_handlers_on_the_fly>`,and should normally be avoided.The :class:`~django.middleware.csrf.CsrfViewMiddleware` class can beconsidered an exception, as it provides the:func:`~django.views.decorators.csrf.csrf_exempt` and:func:`~django.views.decorators.csrf.csrf_protect` decorators which allowviews to explicitly control at what point the CSRF validation should occur... _exception-middleware:``process_exception()``-----------------------.. method:: process_exception(request, exception)``request`` is an :class:`~django.http.HttpRequest` object. ``exception`` is an``Exception`` object raised by the view function.Django calls ``process_exception()`` when a view raises an exception.``process_exception()`` should return either ``None`` or an:class:`~django.http.HttpResponse` object. If it returns an:class:`~django.http.HttpResponse` object, the template response and responsemiddleware will be applied and the resulting response returned to thebrowser. Otherwise, :ref:`default exception handling <error-views>` kicks in.Again, middleware are run in reverse order during the response phase, whichincludes ``process_exception``. If an exception middleware returns a response,the ``process_exception`` methods of the middleware classes above thatmiddleware won't be called at all... _template-response-middleware:``process_template_response()``-------------------------------.. method:: process_template_response(request, response)``request`` is an :class:`~django.http.HttpRequest` object. ``response`` isthe :class:`~django.template.response.TemplateResponse` object (or equivalent)returned by a Django view or by a middleware.``process_template_response()`` is called just after the view has finishedexecuting, if the response instance has a ``render()`` method, indicating thatit is a :class:`~django.template.response.TemplateResponse` or equivalent.It must return a response object that implements a ``render`` method. It couldalter the given ``response`` by changing ``response.template_name`` and``response.context_data``, or it could create and return a brand-new:class:`~django.template.response.TemplateResponse` or equivalent.You don't need to explicitly render responses -- responses will beautomatically rendered once all template response middleware has beencalled.Middleware are run in reverse order during the response phase, whichincludes ``process_template_response()``.Dealing with streaming responses================================Unlike :class:`~django.http.HttpResponse`,:class:`~django.http.StreamingHttpResponse` does not have a ``content``attribute. As a result, middleware can no longer assume that all responseswill have a ``content`` attribute. If they need access to the content, theymust test for streaming responses and adjust their behavior accordingly::if response.streaming:response.streaming_content = wrap_streaming_content(response.streaming_content)else:response.content = alter_content(response.content).. note::``streaming_content`` should be assumed to be too large to hold in memory.Response middleware may wrap it in a new generator, but must not consumeit. Wrapping is typically implemented as follows::def wrap_streaming_content(content):for chunk in content:yield alter_content(chunk)Exception handling==================Django automatically converts exceptions raised by the view or by middlewareinto an appropriate HTTP response with an error status code. :ref:`Certainexceptions <error-views>` are converted to 4xx status codes, while an unknownexception is converted to a 500 status code.This conversion takes place before and after each middleware (you can think ofit as the thin film in between each layer of the onion), so that everymiddleware can always rely on getting some kind of HTTP response back fromcalling its ``get_response`` callable. Middleware don't need to worry aboutwrapping their call to ``get_response`` in a ``try/except`` and handling anexception that might have been raised by a later middleware or the view. Evenif the very next middleware in the chain raises an:class:`~django.http.Http404` exception, for example, your middleware won't seethat exception; instead it will get an :class:`~django.http.HttpResponse`object with a :attr:`~django.http.HttpResponse.status_code` of 404.You can set :setting:`DEBUG_PROPAGATE_EXCEPTIONS` to ``True`` to skip thisconversion and propagate exceptions upward... _async-middleware:Asynchronous support====================Middleware can support any combination of synchronous and asynchronousrequests. Django will adapt requests to fit the middleware's requirements if itcannot support both, but at a performance penalty.By default, Django assumes that your middleware is capable of handling onlysynchronous requests. To change these assumptions, set the following attributeson your middleware factory function or class:* ``sync_capable`` is a boolean indicating if the middleware can handlesynchronous requests. Defaults to ``True``.* ``async_capable`` is a boolean indicating if the middleware can handleasynchronous requests. Defaults to ``False``.If your middleware has both ``sync_capable = True`` and``async_capable = True``, then Django will pass it the request withoutconverting it. In this case, you can work out if your middleware will receiveasync requests by checking if the ``get_response`` object you are passed is acoroutine function, using ``asyncio.iscoroutinefunction``.The ``django.utils.decorators`` module contains:func:`~django.utils.decorators.sync_only_middleware`,:func:`~django.utils.decorators.async_only_middleware`, and:func:`~django.utils.decorators.sync_and_async_middleware` decorators thatallow you to apply these flags to middleware factory functions.The returned callable must match the sync or async nature of the``get_response`` method. If you have an asynchronous ``get_response``, you mustreturn a coroutine function (``async def``).``process_view``, ``process_template_response`` and ``process_exception``methods, if they are provided, should also be adapted to match the sync/asyncmode. However, Django will individually adapt them as required if you do not,at an additional performance penalty.Here's an example of how to create a middleware function that supports both::import asynciofrom django.utils.decorators import sync_and_async_middleware@sync_and_async_middlewaredef simple_middleware(get_response):# One-time configuration and initialization goes here.if asyncio.iscoroutinefunction(get_response):async def middleware(request):# Do something here!response = await get_response(request)return responseelse:def middleware(request):# Do something here!response = get_response(request)return responsereturn middleware.. note::If you declare a hybrid middleware that supports both synchronous andasynchronous calls, the kind of call you get may not match the underlyingview. Django will optimize the middleware call stack to have as fewsync/async transitions as possible.Thus, even if you are wrapping an async view, you may be called in syncmode if there is other, synchronous middleware between you and the view... _upgrading-middleware:Upgrading pre-Django 1.10-style middleware==========================================.. class:: django.utils.deprecation.MiddlewareMixin:module:Django provides ``django.utils.deprecation.MiddlewareMixin`` to ease creatingmiddleware classes that are compatible with both :setting:`MIDDLEWARE` and theold ``MIDDLEWARE_CLASSES``, and support synchronous and asynchronous requests.All middleware classes included with Django are compatible with both settings.The mixin provides an ``__init__()`` method that requires a ``get_response``argument and stores it in ``self.get_response``.The ``__call__()`` method:#. Calls ``self.process_request(request)`` (if defined).#. Calls ``self.get_response(request)`` to get the response from latermiddleware and the view.#. Calls ``self.process_response(request, response)`` (if defined).#. Returns the response.If used with ``MIDDLEWARE_CLASSES``, the ``__call__()`` method willnever be used; Django calls ``process_request()`` and ``process_response()``directly.In most cases, inheriting from this mixin will be sufficient to make anold-style middleware compatible with the new system with sufficientbackwards-compatibility. The new short-circuiting semantics will be harmless oreven beneficial to the existing middleware. In a few cases, a middleware classmay need some changes to adjust to the new semantics.These are the behavioral differences between using :setting:`MIDDLEWARE` and``MIDDLEWARE_CLASSES``:#. Under ``MIDDLEWARE_CLASSES``, every middleware will always have its``process_response`` method called, even if an earlier middlewareshort-circuited by returning a response from its ``process_request``method. Under :setting:`MIDDLEWARE`, middleware behaves more like an onion:the layers that a response goes through on the way out are the same layersthat saw the request on the way in. If a middleware short-circuits, onlythat middleware and the ones before it in :setting:`MIDDLEWARE` will see theresponse.#. Under ``MIDDLEWARE_CLASSES``, ``process_exception`` is applied toexceptions raised from a middleware ``process_request`` method. Under:setting:`MIDDLEWARE`, ``process_exception`` applies only to exceptionsraised from the view (or from the ``render`` method of a:class:`~django.template.response.TemplateResponse`). Exceptions raised froma middleware are converted to the appropriate HTTP response and then passedto the next middleware.#. Under ``MIDDLEWARE_CLASSES``, if a ``process_response`` method raisesan exception, the ``process_response`` methods of all earlier middleware areskipped and a ``500 Internal Server Error`` HTTP response is alwaysreturned (even if the exception raised was e.g. an:class:`~django.http.Http404`). Under :setting:`MIDDLEWARE`, an exceptionraised from a middleware will immediately be converted to the appropriateHTTP response, and then the next middleware in line will see thatresponse. Middleware are never skipped due to a middleware raising anexception.