How To Enable Or Disable CSRF Validation In Django Web Application

Django has provided a feature that can help you to avoid csrf attacks on your Django application. But sometimes especially in your development environment, you do not want this feature when sending post requests to your web server use curl in the command line, if this feature is enabled, you will get errors. This article will tell you how to enable or disable csrf validation in the Django applications.

1. Enable CSRF.

  1. The csrf function is enabled by default in the Django app. So if you do not disable it before, it is enabled by default.
  2. If you want to pass the csrf validation in your Django code, you can add the below code in your template Html page form tag element.
     <form method="post" action="{% url 'dept_emp:user_add' %}">
       ......
       <!-- avoid CSRF verification failed error. -->
       {% csrf_token %}
       ......
    </form>
  3. If you use curl to send a POST request to your Django web app when csrf validation is enabled, you will get the bellow error.
    :~$ curl -i -X POST  http://127.0.0.1:8000/dept_emp/test_class_based_view
    HTTP/1.1 403 Forbidden
    Date: Wed, 03 Apr 2019 08:49:21 GMT
    Server: WSGIServer/0.2 CPython/3.6.7
    Content-Type: text/html
    X-Frame-Options: SAMEORIGIN
    Content-Length: 2868
    
    
    <!DOCTYPE html>
    <html lang="en">
    <head>
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <meta name="robots" content="NONE,NOARCHIVE">
      ......
    
    </html>

2. Disable CSRF Validation.

2.1 Disable CSRF Validation For Entire Django Project.

  1. Edit django project settings.py file ( DjangoHelloWorld / DjangoHelloWorld / settings.py ).
  2. Comment or remove ‘django.middleware.csrf.CsrfViewMiddleware’ in MIDDLEWARE list then csrf validation has been removed from this Django app. All post requests in this Django project without csrf tag will not meet the error.
    MIDDLEWARE = [
        ......
        #'django.middleware.csrf.CsrfViewMiddleware',
        ......
    ]
    

2.2 Disable CSRF Validation For Class-Based View.

  1. You can also disable csrf validation for a single class-based view using method_decorator and csrf_exempt.
    from django.views.decorators.csrf import csrf_exempt
    
    from django.utils.decorators import method_decorator
    
    @method_decorator(csrf_exempt, name='dispatch')
    class TestClassBasedView(View):
    
        def get(self, request):
           ......

2.3 Disable CSRF Validation For Function-Based View.

  1. The below code will disable csrf validation for a single function-based view using csrf_exempt.
    from django.views.decorators.csrf import csrf_exempt
    
    @csrf_exempt
    def test_function_based_view(request):
    
        if(request.method=='GET'):
    
             ......

3. Question & Answer.

3.1 Can not disable CSRF validation in Django app with ajax request.

  1. I want to disable CSRF validation in my Django app, so I comment out the csrf code line in my Django app settings.py file in both the TEMPLATE_CONTEXT_PROCESSORS and MIDDLEWARE_CLASSES section as below.
    TEMPLATE_CONTEXT_PROCESSORS = (
    ......
    # 'django.core.context_processors.csrf',
    ......
    )
    
    MIDDLEWARE_CLASSES = (
    ......
    # 'django.middleware.csrf.CsrfViewMiddleware',
    ......
    )

    But there are some features in my Django app that need to use ajax to send requests, when ajax executes, the Django app still sends the error message like ’csrf token is incorrect or missing‘ to the client. I can fix this error by adding the X-CSRFToken to the request headers, but I do not know why I need to add this header.

  2. You can use the @csrf_exempt annotation to decorate the views function that you do not want to use CSRF validation just like this article tell you in section 2.3.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.