# Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And they send a request with a username `johndoe` and a password `love123`.

## CSRF Risk { #csrf-risk }

This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)

    # Bir hata döndür
    ...
```

Ancak `secrets.compare_digest()` kullanarak, "timing attacks" denilen bir saldırı türüne karşı güvenli olursunuz.

### Timing Attacks { #timing-attacks }

Peki "timing attack" nedir?

Bazı saldırganların kullanıcı adı ve şifreyi tahmin etmeye çalıştığını düşünelim.

    # Devuelve algún error
    ...
```

Pero al usar `secrets.compare_digest()` será seguro contra un tipo de ataques llamados "timing attacks".

### Timing attacks { #timing-attacks }

¿Pero qué es un "timing attack"?

Imaginemos que algunos atacantes están tratando de adivinar el nombre de usuario y la contraseña.

#### Время ответа помогает злоумышленникам { #the-time-to-answer-helps-the-attackers }

Замечая, что сервер прислал «Неверное имя пользователя или пароль» на несколько микросекунд позже, злоумышленники поймут, что какая-то часть была угадана — начальные буквы верны.

    ...
```

此时，Python 要对比 `stanleyjobsox` 与 `stanleyjobson` 中的 `stanleyjobso`，才能知道这两个字符串不一样。因此会多花费几微秒来返回**错误的用户或密码**。

#### 反应时间对攻击者的帮助 { #the-time-to-answer-helps-the-attackers }

通过服务器花费了更多微秒才发送**错误的用户或密码**响应，攻击者会知道猜对了一些内容，起码开头字母是正确的。

然后，他们就可以放弃 `johndoe`，再用类似 `stanleyjobsox` 的内容进行尝试。

#### **专业**攻击 { #a-professional-attack }

当然，攻击者不用手动操作，而是编写每秒能执行成千上万次测试的攻击程序，每次都会找到更多正确字符。

    # Return some error
    ...
```

Porém, ao utilizar o `secrets.compare_digest()`, isso estará seguro contra um tipo de ataque chamado "timing attacks".

### Ataques de Temporização { #timing-attacks }

Mas o que é um "timing attack"?

Vamos imaginar que alguns invasores estão tentando adivinhar o usuário e a senha.

    ...
```

Python 會必須先比較完整的 `stanleyjobso`（在 `stanleyjobsox` 與 `stanleyjobson` 之中都一樣），才會發現兩個字串不同。因此回覆「Incorrect username or password」會多花一些微秒。

#### 回應時間幫了攻擊者 { #the-time-to-answer-helps-the-attackers }

此時，透過觀察伺服器回覆「Incorrect username or password」多花了幾個微秒，攻擊者就知道他們有某些地方猜對了，前幾個字母是正確的。

接著他們會再嘗試，知道它更可能接近 `stanleyjobsox` 而不是 `johndoe`。

#### 「專業」的攻擊 { #a-professional-attack }

#### Die Zeit zum Antworten hilft den Angreifern { #the-time-to-answer-helps-the-attackers }

/// tip | Порада