I am testing the CSRF protection on my site and I have noticed something unexpected.
I removed {% csrf_token %}
from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form>
element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there.
I am using Django 1.2. Is {% csrf_token %}
still necessary?
Cheers
Rich
After more investigation it appears the {% csrf_token %}
is always inserted if the form has method post
and not if it doesn't. Very clever auto protection from Django.
From the documentation:
In Django 1.1, the template tag did not exist. Instead, a post-processing middleware that re-wrote POST forms to include the CSRF token was used. If you are upgrading a site from version 1.1 or earlier, please read this section and the Upgrading notes below.
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#legacy-method
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With