How to use it¶
To take advantage of CSRF protection in your views, follow these steps:
-
The CSRF middleware is activated by default in the
MIDDLEWARE
setting. If you override that setting, remember that'django.middleware.csrf.CsrfViewMiddleware'
should come before any view middleware that assume that CSRF attacks have been dealt with.If you disabled it, which is not recommended, you can use
csrf_protect()
on particular views you want to protect (see below). -
In any template that uses a POST form, use the
csrf_token
tag inside the<form>
element if the form is for an internal URL, e.g.:<form action="" method="post">{% csrf_token %}
This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.
-
In the corresponding view functions, ensure that
RequestContext
is used to render the response so that{%csrf_token %}
will work properly. If you’re using therender()
function, generic views, or contrib apps, you are covered already since these all useRequestContext
.