4

By default, Django offers protection against Cross-Site Request Forgery (CSRF) attacks by sending a CSRF token to webpages it generates, which is then sent back with requests to validate them. This is detailed here.

Django provides the csrf_exempt decorator to disable this behaviour. What are some good reasons programmers might want to use it?

This details why it could be dangerous, I'm interested in how it could be useful.

I'm looking for answers that are not obvious (e.g. not knowing how to use the CSRF protection or disabling it temporarily).

Community
  • 1
  • 1
Vlad Schnakovszki
  • 8,434
  • 6
  • 80
  • 114

3 Answers3

3

For instance, we use it for an interface where another party posts data programmatically. Thus, they can never get a csrf token. The page is, however, basic-auth secured.

user2390182
  • 72,016
  • 6
  • 67
  • 89
3

Project I am working on has tiny embedded devices talking HTTP to a django application server over a VPN. The HTTP client on these is very primitive, so we disable CSRF.

Mad Wombat
  • 14,490
  • 14
  • 73
  • 109
2

Whenever your client sends a request to the server, some confidential information will be send along with the request. The CSRF token prevents a malicious site from abusing that information. Particularly, this prevents a malicious site from sending a forged request that uses your cookies and/or session to authenticate your client and authorize the action. Any information that is automatically and implicitly send on every request by your client is vulnerable to a CSRF attack (though not all information might actually be useful in such an attack).

The @csrf_exempt decorator can safely be used to avoid the CSRF protection mechanism if and only if the server-side actions that are the result from the request do not depend on the authentication and authorization that is sent implicitly by the client. Examples are token-based authentication and HTTP Basic authentication. For these forms of authentication, the client must explicitly sent the token or credentials for each request. If a malicious site forges a request, it cannot send the required authentication information to the server (unless a different vulnerability exposes that information), and the request is denied. In such cases, CSRF does not offer any extra protection.

knbk
  • 52,111
  • 9
  • 124
  • 122