Is it safe to pass csrf_token directly to ajax post data?

Question

I have a concern about the safety of using Django's {{ csrf_token }} in an ajax call stated in a template. Consider the case below:

    function set_sensitive_data() {
            $.ajax({
                url: "{% url 'some_sensitive_view' %}",
                method: "POST",
                data:{
                    'csrfmiddlewaretoken': "{{ csrf_token }}",
                    'sensitive_data': "{{ some_data }}"
                },
            });
    }

It works perfectly fine but is there any particular reason why I shouldn't do it this way? I've read Django docs and know that preferred way is to use cookies but that's not my case and I'm not asking about other solutions - I just want to know if this way is unsafe and if so then why?

score 2 · Answer 1 · answered Jul 25 '20 at 09:05

2

This is fine. The CSRF token is not reusable and the token is still encrypted in transit as long as you're using HTTPS.

answered Jul 25 '20 at 09:05

Aayush Agrawal

1,354
1
12
24

Is it safe to pass csrf_token directly to ajax post data?

1 Answers1