Stack Overflow
Stack Overflow

Questions tagged [django-csrf]

django-csrf is the Cross Site Request Forgery (CSRF) protection middleware for Django.

The Csrf Middleware for Django modifies outgoing requests that are associated with a session by adding a hidden form field to all 'POST' forms, with name 'csrfmiddlewaretoken' and a value which is a hash of the session ID plus a secret.

The middleware then processes all incoming POST requests that have the session cookie set, checks that the 'csrfmiddlewaretoken' is present and correct, and if it isn't, throws a 403 error.

618 questions
19
votes
7 answers

What is the right way to use angular2 http requests with Django CSRF protection?

In Angular1 the problem can be solved by configuring $http-provider. Like: app.config(function($httpProvider) { $httpProvider.defaults.xsrfCookieName = 'csrftoken'; $httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken'; }); What is a good…
Viktar K
  • 1,409
  • 2
  • 16
  • 22
18
votes
7 answers

csrf error in django

I want to realize a login for my site. I basically copied and pasted the following bits from the Django Book together. However I still get an error (CSRF verification failed. Request aborted.), when submitting my registration form. Can somebody tell…
niklasfi
  • 15,245
  • 7
  • 40
  • 54
17
votes
4 answers

Django @csrf_exempt not working in class View

I have an application in Django 1.9 that uses SessionMiddleware. I would like to create an API for this application inside the same project, but when doing a POST request it does not work the @csrf_exempt annotation. I am doing the requests throw…
Carlos
  • 855
  • 2
  • 9
  • 18
17
votes
2 answers

Ajax, CSRF and DELETE

I use the getCookie function from the django documentation to get the csrfmiddlewaretoken value. I have the following ajax call: var url = reverse_removeprofile.replace(/deadbeef/, key); $.ajax({ type: "DELETE", url: url, …
Pablo
  • 13,271
  • 4
  • 39
  • 59
16
votes
3 answers

@csrf_exempt stopped working in Django 1.4

I have the following code, that was working fine in Django 1.2.5: from django.views.decorators.csrf import csrf_exempt class ApiView(object): def __call__(self, request, *args, **kwargs): method = request.method.upper() return…
lfagundes
  • 2,978
  • 5
  • 24
  • 25
16
votes
4 answers

Django - CSRF token missing or incorrect

I just updated my django to 1.4. But I am getting the following error when I try to submit my login form: Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: CSRF token missing or incorrect. In my…
Thomas
  • 2,256
  • 6
  • 32
  • 47
15
votes
2 answers

Disabling Django CSRF for views that do not always have a response

I have a Django view that receives POSTs which do not need to have the CSRF token. Therefore I used the @csrf_exempt decorator on the view. The problem is that sometimes I do not issue a response from the view (it's a Twitter bot, it receives an…
Adam
  • 43,763
  • 16
  • 104
  • 144
14
votes
4 answers

What is CSRF Protection really for?

I've been hearing about CSRF a long time ago, and the thing I hear most of the time is: Protecting against CSRF attacks is important so that someone doesn't submit your form automatically (using a bot or something) Well, that isn't 100% true, is…
Oscar Mederos
  • 29,016
  • 22
  • 84
  • 124
13
votes
2 answers

Django CSRF token won't show

Here's the relevant snippet of HTML in the template:
{% csrf_token %} {% include "backbone/form_errors.html" %} {{form.as_p}}
Here is…
Ben G
  • 26,091
  • 34
  • 103
  • 170
13
votes
1 answer

Django: Forcing CSRF token on all responses

My website has an AJAX POST view that can be called from any page on the app (event tracking). This view is protected by CSRF. In some cases, the CSRF cookie is not set, and the POST call fails. Instead of manually decorating all views with…
Tzach
  • 12,889
  • 11
  • 68
  • 115
13
votes
4 answers

Django check CSRF token manually

I am implementing an API that works either with an API key, or with a CSRF token. The goal is for it to be usable either by a web app (protected by CSRF) or by a third party application (protected by API key). Basically on each request (all via…
Leah Sapan
  • 3,621
  • 7
  • 33
  • 57
12
votes
2 answers

CSRF is only checked when authenticated in DRF?

TLDR; It seems that my POSTs (to DRF endpoints) are only CSRF protected, if the client has an authenticated session. This is wrong, and leaves the application option to login CSRF attacks. How can I fix this? I'm starting to build a django rest…
David Downes
  • 1,145
  • 10
  • 24
12
votes
2 answers

CSRF verification Failed - Referer is insecure while host is secure

I upgraded Django from 1.8 to 1.9. Afterwards, I get this error on my localhost after the Django admin login: Referer checking failed - Referer is insecure while host is secure. Everything works fine in production. Below is a snippet of my…
Patrick Tutu
  • 534
  • 1
  • 5
  • 13
11
votes
2 answers

In what case can CSRF-exempt be dangerous?

This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the documents in the django-docs (…
marue
  • 5,588
  • 7
  • 37
  • 65
11
votes
6 answers

How do I include Django 1.2's CSRF token in a Javascript-generated HTML form?

I recently upgraded to Django 1.2.3 and my upload forms are now broken. Whenever I attempt to upload, I receive a "CSRF verification failed. Request aborted." error message. After reading Django's documentation on this subject, it states that I need…
Huuuze
  • 15,528
  • 25
  • 72
  • 91
1
2
3
41 42