CSRF token

[brejoc]

Django is expecting a CSRF token with POST requests to prevent Cross Site Request Forgeries. This also includes AJAX POST requests.

With a normal form this looks like this:

<form action="" method="post">{% csrf_token %}

Looks like there are two ways to implement this.

[kezabelle]

There's a third way, I believe:
ic-on-beforeSend="xhr.setRequestHeader('X-CSRFToken', '{{ csrf_token }}');"

[brejoc]

You are right @kezabelle. Thanks a lot! I'm thinking about introducing a template tag to make it more convenient.

[1cg]

I wonder if intercooler should support the rails-style CSRF meta tags out of the box. Does django have something similar? Cheers, Carson On March 22, 2017 at 2:07:41 AM, Jochen Breuer (notifications@github.com) wrote: You are right @kezabelle <https://github.com/kezabelle>. Thanks a lot! I'm thinking about introducing a template tag to make it more convenient. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAcov2Yx1NvixG5LCeJ72gSlbdgGHhi8ks5roOTdgaJpZM4MDBLE> .

[brejoc]

@carsongross That would be awesome. Django is very frontend agnostic, so this is our job. I see no reason not to introduce a CSRF meta tag. I would indeed prefer this over anything else. It is easy to implement and solves the problem.
Now we only have to convince all the frameworks to use the same header field name. Django uses X-CSRFToken and Rails X-CSRF-Token. You can change that in the Django settings. But I've not tried that yet.

[ammsa]

+1 for an out of the box support on CSRF tokens

[brejoc]

@chg20 Any news on this? I'm just asking, because I was not following the latest changes and would like to catch up. Thanks!

[1cg]

How does django encode the CSRF token?

[brejoc]

@chg20 Seems like the best way to get it is from the cookies. Hm… maybe intercooler could have a hook that gets called when implemented and then each framework would be able to ship a tiny snippet that would set the csrf tokens or not?