Menu
I have commented out csrf processor and middleware lines in settings.py:
122 123 TEMPLATE_CONTEXT_PROCESSORS = ( 124 'django.contrib.auth.context_processors.auth', 125 # 'django.core.context_processors.csrf', 126 'django.core.context_processors.request', 127 'django.core.context_processors.static', 128 'cyathea.processors.static', 129 ) 130 131 MIDDLEWARE_CLASSES = ( 132 'django.middleware.common.CommonMiddleware', 133 'django.contrib.sessions.middleware.SessionMiddleware', 134 # 'django.middleware.csrf.CsrfViewMiddleware', 135 'django.contrib.auth.middleware.AuthenticationMiddleware', 136 'django.contrib.messages.middleware.MessageMiddleware', 137 'django.middleware.locale.LocaleMiddleware', 138 # Uncomment the next line for simple clickjacking protection: 139 # 'django.middleware.clickjacking.XFrameOptionsMiddleware', 140 ) But when I use Ajax to send a request, Django still respond 'csrf token is incorrect or missing', and after adding X-CSRFToken to headers, the request would succeed.
What is going on here ?
556
To disable CSRF protection on all routes. So navigate to app\Http\Middleware and open VerifyCsrfToken. php file. Then update the routes, which you want to disable CSRF protection.
The CSRF token only ensures that only forms that have originated from trusted domains can be used to POST data back. So it doesn't validate the data or how much data the form sends but if data comes from a form from a legit domain (your site usually). Hence the name: Cross Site Request Forgery protection.
You don't need to check on each request, as CSRF tokens should only really be used on POST and PUT requests. Second, you can't verify a CSRF token unless you are generating it on each request, and your verification is optional. A CSRF token is not the same as an API key.
If you just need some views not to use CSRF, you can use @csrf_exempt:
from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view(request): return HttpResponse('Hello world') You can find more examples and other scenarios in the Django documentation:
115
To disable CSRF for class-based views, the following worked for me.
I'm using Django 1.10 and Python 3.5.2
from django.utils.decorators import method_decorator from django.views.decorators.csrf import csrf_exempt @method_decorator(csrf_exempt, name='dispatch') class TestView(View): def post(self, request, *args, **kwargs): return HttpResponse('Hello world') If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
