Monday, September 25, 2017

Re: CSRF and API Calls

The view for csrf token is what I'm testing out now. I created a standard GET handler which should be returning the CSRF token. I was hoping to see how others have solved the problem. Possibly more elegantly that a "pre" GET to the POST just to obtain the CSRF token; however, at the same time I understand the need. 

I would prefer not to make the calls exempt for the obvious security reasons.


On Friday, September 22, 2017 at 2:17:08 PM UTC-4, Matthew Pava wrote:

Do you have access to the Django backend code?

You could disable CSRF validation by applying the @csrf_exempt decorator to the corresponding view functions.

Maybe you could create a view that returns only the CSRF token (through AJAX?) that you can utilize as needed?

 

From: django...@googlegroups.com [mailto:django...@googlegroups.com] On Behalf Of Tom Gorup
Sent: Friday, September 22, 2017 8:46 AM
To: Django users
Subject: CSRF and API Calls

 

I'm having a bit of an issue. I'm attempting to utilize a Javascript/React App to interact with a Django backend without the use of templates (hence no {%csrftoken%} available). As I understand CSRF middleware, the CSRF token comes with the form on the GET and is provided in the POST; however, if I'm not utilizing the templates and the app is completely separate from Django. 

 

How do I go about obtaining the CSRF token prior to making the POST/PUT/etc.?

 

Let me know if you need more context. Appreciate any assistance!

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to djang...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/13ecce96-2de8-4a42-8b1e-3b98ccbae524%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f0c08232-d39f-418e-8467-3e3af69dbad8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)