How to disable Django s CSRF validation

Question

I have commented out csrf processor and middleware lines in settings py   122  123 TEMPLATE CONTEXT PROCESSORS     124      django contrib auth context processors auth   125       django core context processors csrf   126      django core context processors request   127      django core context processors static   128      cyathea processors static   129   130  131 MIDDLEWARE CLASSES     132      django middleware common CommonMiddleware   133      django contrib sessions middleware SessionMiddleware   134       django middleware csrf CsrfViewMiddleware   135      django contrib auth middleware AuthenticationMiddleware   136      django contrib messages middleware MessageMiddleware   137      django middleware locale LocaleMiddleware   138       Uncomment the next line for simple clickjacking protection  139        django middleware clickjacking XFrameOptionsMiddleware   140     But when I use Ajax to send a request  Django still respond  csrf token is incorrect or missing   and after adding X-CSRFToken to headers  the request would succeed   What is going on here

User · Answer

In setting py in MIDDLEWARE you can simply remove comment this line    django middleware csrf CsrfViewMiddleware

User · Answer

If you want disable it in Global  you can write a custom middleware  like this  from django utils deprecation import MiddlewareMixin  class DisableCsrfCheck MiddlewareMixin        def process request self  req           attr     dont enforce csrf checks          if not getattr req  attr  False               setattr req  attr  True    then add this class youappname middlewarefilename DisableCsrfCheck to MIDDLEWARE CLASSES lists  before django middleware csrf CsrfViewMiddleware

User · Answer

The problem here is that SessionAuthentication performs its own CSRF validation  That is why you get the CSRF missing error even when the CSRF Middleware is commented  You could add  csrf exempt to every view  but if you want to disable CSRF and have session authentication for the whole app  you can add an extra middleware like this -   class DisableCSRFMiddleware object    def   init   self  get response       self get response   get response  def   call   self  request       setattr request    dont enforce csrf checks   True      response   self get response request      return response   I created this class in myapp middle py  Then import this middleware in Middleware in settings py  MIDDLEWARE          django middleware common CommonMiddleware        django middleware security SecurityMiddleware        django contrib sessions middleware SessionMiddleware        django middleware common CommonMiddleware         django middleware csrf CsrfViewMiddleware        myapp middle DisableCSRFMiddleware        django contrib auth middleware AuthenticationMiddleware        django contrib messages middleware MessageMiddleware        django middleware clickjacking XFrameOptionsMiddleware        That works with DRF on django 1 11

User · Answer

CSRF can be enforced at the view level  which can t be disabled globally    In some cases this is a pain  but um   it s for security   Gotta retain those AAA ratings    https   docs djangoproject com en dev ref csrf  contrib-and-reusable-apps

User · Answer

For Django 2   from django utils deprecation import MiddlewareMixin   class DisableCSRF MiddlewareMixin       def process request self  request           setattr request    dont enforce csrf checks   True    That middleware must be added to settings MIDDLEWARE when appropriate  in your test settings for example     Note  the setting isn t not called MIDDLEWARE CLASSES anymore

User · Answer

WoooHaaaa some third party packages use  django middleware csrf CsrfViewMiddleware  middleware  for example i use django-rest-oauth and i have problem like you even after disabling those things  maybe these packages responded to your request like my case  because you use authentication decorator and something like this

User · Answer

If you just need some views not to use CSRF  you can use  csrf exempt   from django views decorators csrf import csrf exempt   csrf exempt def my view request       return HttpResponse  Hello world     You can find more examples and other scenarios in the Django documentation    https   docs djangoproject com en dev ref csrf  edge-cases

User · Answer

The answer might be inappropriate  but I hope it helps you  class DisableCSRFOnDebug object       def process request self  request           if settings DEBUG              setattr request    dont enforce csrf checks   True    Having middleware like this helps to debug requests and to check csrf in production servers

User · Answer

To disable CSRF for class based views the following worked for me  Using django 1 10 and python 3 5 2  from django views decorators csrf import csrf exempt from django utils decorators import method decorator   method decorator csrf exempt  name  dispatch   class TestView View       def post self  request   args    kwargs           return HttpResponse  Hello world

[python] How to disable Django's CSRF validation?

Examples related to python

Examples related to django