Stack Overflow
Stack Overflow

Questions tagged [django-csrf]

django-csrf is the Cross Site Request Forgery (CSRF) protection middleware for Django.

The Csrf Middleware for Django modifies outgoing requests that are associated with a session by adding a hidden form field to all 'POST' forms, with name 'csrfmiddlewaretoken' and a value which is a hash of the session ID plus a secret.

The middleware then processes all incoming POST requests that have the session cookie set, checks that the 'csrfmiddlewaretoken' is present and correct, and if it isn't, throws a 403 error.

618 questions
5
votes
2 answers

CSRF token missing or incorrect. Django + AngularJS

I'm getting CSRF token missing or incorrect error while doing a POST request to a remote django api from my localhost machine. My settings on AngularJS: .config(['$httpProvider', function($httpProvider){ $httpProvider.defaults.xsrfCookieName =…
Andre Mendes
  • 7,307
  • 4
  • 14
  • 24
5
votes
5 answers

CRSF Token Interfering With TDD - Is there a variable that stores csrf output?

So, I kept returning a Failing test in Django when comparing expected to actual html with form input, so I printed out the result and realized the difference was the rather simple line, caused by my {% csrf_token %}, as follows:
Jordon Birk
  • 480
  • 1
  • 9
  • 28
5
votes
2 answers

Django REST Framework w/ TokenAuthentication issue with CSRF/CORS

I am using TokenAuthentication in Django REST Framework to have a script remotely access my API. The domain running the API is behind a TLS certificate. I have scoured through MANY sources, and tried many options before coming here to figure out…
Adam Hopkins
  • 6,837
  • 6
  • 32
  • 52
5
votes
1 answer

Firefox not receiving django csrf_token

I am submitting a ajax form in django and using xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); to get csrf_token. The form is working well in chrome. But in firefox the value of csrf_token is null and its giving 403 forbidden error.…
Ashish Gupta
  • 2,574
  • 2
  • 29
  • 58
5
votes
2 answers

Django X-CSRFToken have been set but still get 403 forbidden

I've developed an Django file upload API which receive the posted data from client and save the data as file. According to the Django CSRF manual, the HTTP request header should set X-CSRFToken with the csrftoken cookie value. I've set the…
ybdesire
  • 1,593
  • 1
  • 20
  • 35
5
votes
1 answer

Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct? I guess…
orokusaki
  • 55,146
  • 59
  • 179
  • 257
5
votes
1 answer

django-allauth mobile client csrf protect

I would like to use django-allauth services using a mobile client. When I request login, signup pages it gives csrf protection error in order to prevent cross site requests. I can solve this problem by putting csrf_exempt tag in dispatch methods in…
mustafa.yavuz
  • 1,274
  • 2
  • 21
  • 40
5
votes
1 answer

Django CSRF protection for mobile apps and chrome extensions

I have done a few mobile apps using django as my backend, and now I am working on a chrome extension. I want my users to be able to send POST requests up to the server using the app/extension but is there a way to do it without first asking the…
Chase Roberts
  • 9,082
  • 13
  • 73
  • 131
5
votes
2 answers

Django context processor and csrf_token

I have a login form that I want to be available in all my views, so I created a context processor to add this form to every loaded context. The problem is that {% csrf_token %} on the form template won't render the hidden input tag with the CSRF…
vmassuchetto
  • 1,529
  • 1
  • 20
  • 44
5
votes
3 answers

How can I get a CSRF token from the command line?

I'm frequently testing my application using curl and in the past I've had to simply wrap my views with csrf_exempt. I really don't want to do this, as I have a nasty feeling that I'll forget to do this in deployment and enjoy a lifetime of CSRF…
Naftuli Kay
  • 87,710
  • 93
  • 269
  • 411
5
votes
2 answers

Django CSRF cookie accessible by javascript?

On django website, https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ it states: The CSRF protection is based on the following things: 1. A CSRF cookie that is set to a random value (a session independent nonce, as it is called), which other…
Keven Wang
  • 1,208
  • 17
  • 28
5
votes
1 answer

Sporadic 403 "CSRF FAILURECSRF cookie not set" errors with django

We have a small site that is just starting to be exposed to the outside world. For the most part it is working very well but we are occasionally getting 403 errors with the message "CSRF FAILURECSRF cookie not set" from one of the forms. The form…
brandon
  • 427
  • 3
  • 12
5
votes
1 answer

Django - Forbidden (CSRF cookie not set.)

I have a Django web site with medium traffic (about 4000/5000 visits per day). Today I configured the "LOGGING" option on settings.py to send an email with "Info" level, just check if everything was ok... There was my surprise, I am getting the…
Thomas
  • 2,256
  • 6
  • 32
  • 47
4
votes
2 answers

Set django.contrib.auth.views.login as csrf_exempt

I'm developing a just-for-learn iOS app who interacts with my Django application. I'm at login part: my client fails to login into Django app due to csrf protection. For the others views I just would add csrf_exempt decorator for disable it, but for…
Fred Collins
  • 5,004
  • 14
  • 62
  • 111
4
votes
2 answers

Django CSRF for both HTTP and HTTPS

I have a blog that runs behind both HTTP and HTTPS and am running into issues with the csrf token verification. The CSRF token is available in each form as it should be, but when I'm on the HTTP version of the site and try to commit a comment I get…
Dave
  • 1,658
  • 3
  • 17
  • 19
1 2 3
41 42