Stack Overflow
Stack Overflow

Questions tagged [django-csrf]

django-csrf is the Cross Site Request Forgery (CSRF) protection middleware for Django.

The Csrf Middleware for Django modifies outgoing requests that are associated with a session by adding a hidden form field to all 'POST' forms, with name 'csrfmiddlewaretoken' and a value which is a hash of the session ID plus a secret.

The middleware then processes all incoming POST requests that have the session cookie set, checks that the 'csrfmiddlewaretoken' is present and correct, and if it isn't, throws a 403 error.

618 questions
11
votes
2 answers

CSRF Token in Django and iOS

So I am trying to understand what to do here... I am doing a POST call to my Django server from iOS and I keep getting the 403 Error (Invalid CSRF Token). I am thinking about implementing a function that will return me the token (you will need to be…
abisson
  • 4,365
  • 9
  • 46
  • 68
10
votes
2 answers

What is the role of Django csrf token?

We always use csrf_token in Django forms, and it generated dynamically. If capture my session with fiddler and try to submit my form without that token I get a 403 error. But what I don't understand is I can use fiddler to submit as much data as I…
rocketdoctor
  • 368
  • 3
  • 16
10
votes
2 answers

Django - custom 403 template

I'm trying to use my 403, 404, 500 custom templates in Django 1.5 . 404 and 500 work perfectly, but 403 still showing me the built-in Django 403 template. I put all three templates in the root template directory in my project. They are named :…
arnon cohen
  • 485
  • 1
  • 5
  • 15
10
votes
2 answers

Is this how Django's CSRF protection works?

Being a beginner at cookies, CSRF and Django (using 1.4), from what I can make out this is how it works, please correct me where I go wrong... The following applies where django.middleware.csrf.CsrfViewMiddleware is included in the…
mr_c
  • 593
  • 3
  • 12
9
votes
2 answers

django CSRF_TRUSTED_ORIGINS not working as expected

Im having trouble in understanding why a post from a third party site is being rejected even though the site is added to CSRF_TRUSTED_ORIGINS list in settings.py. Im receiving a 403 error after the post stating the the csrf check has failed. I…
d1spstack
  • 930
  • 1
  • 5
  • 16
9
votes
4 answers

With Django @csrf_exempt, request.session is always empty

I am stuck in django and would really appreciate it if someone could help me. I need to have an entry point for a 3rd party API. So I created a view and decorated it with @csrf_exempt Now the problem is I am not able to access any session variables…
GKV
  • 864
  • 1
  • 12
  • 25
9
votes
4 answers

How to use $.post with django?

How can I use the jquery.post() method in Django? This is what I am trying to do: var postdata={ 'username':$('#login-email').val(), 'password':$('#login-password').val() } …
tallowen
  • 4,198
  • 7
  • 27
  • 35
9
votes
2 answers

Django CSRF Verification failed for admin panel

I started a fresh Django 1.11 project with one app, one model and one admin panel. Locally, everything works. When I deploy it to Amazon EC2 and try to log in to the admin panel, I get a 403 (CSRF verification failed. Request aborted.). I see this…
physicalattraction
  • 6,485
  • 10
  • 63
  • 122
9
votes
1 answer

Forbidden (CSRF token missing or incorrect.):

I am making ajax call like below: var data_dict = {'user':{{ user.id }}, 'bookId':that.id, 'csrfmiddlewaretoken': '{{ csrf_token }}'}; $.ajax({ type: 'POST', url:"/issuebook", data:data_dict, processData: false, …
ankit
  • 1,499
  • 5
  • 29
  • 46
9
votes
1 answer

How does one ignore CSRF tokens sent to Django REST Framework?

I have a single page angularjs application utilizing JWT authentication. Because JWTs are sent with every single request, it seems redundant to use CSRF tokens in my forms. In order to disable CSRF checking, I commented out…
Keith Morris
  • 275
  • 2
  • 9
9
votes
1 answer

Does django csrf token must be unique on every request?

I have a question about Django CsrfViewMiddleware mechanism. I know, that Django: Set new csrftoken cookie on every request. Check, than X-CSRFToken header value (or hidden input "csrfmiddlewaretoken") must be equals to csrftoken cookie. But…
akozin
  • 529
  • 1
  • 7
  • 18
8
votes
2 answers

Getting Django, VUE, CORS and CSRF working with a real world example

I'm really stuck. Here's what I'm trying to do. KEEP CSRF On. - please don't tell me to turn it off. I have an API app run by Django and Django Rest Framework I have a frontend app run by Vue I have installed django-cors-headers to manage…
Dave Merwin
  • 1,382
  • 2
  • 22
  • 44
8
votes
1 answer

Django 1.2.4 CSRF verification failed

Django 1.2 is consistently giving me this CSRF verification error when I perform a POST form. I "think" I've done all the things asked in the Django 1.2 docs, namely, Ensure MIDDLEWARE_CLASSES is included with…
Bryan
  • 3,220
  • 3
  • 26
  • 31
8
votes
0 answers

CSRF - Referer when performing ajax request from chrome extension with Django Backend

I am using the latest versions of Django and Django Rest Framework. My web application provide an API that is used currently by the front end only. I am on the process to create a chrome extension using the same API routes. When I use the local…
Jonathan DEKHTIAR
  • 3,456
  • 1
  • 21
  • 42
8
votes
2 answers

Pass Django CSRF token to Angular with CSRF_COOKIE_HTTPONLY

In Django, when the CSRF_COOKIE_HTTPONLY setting is set to True, the CSRF cookie gains the httponly flag, which is desirable from a security perspective, but breaks the standard angular solution of adding this cookie to the httpProvider like…
Zags
  • 37,389
  • 14
  • 105
  • 140
1 2
3
41 42