Having a POST'able API and Django's CSRF Middleware
https://stackoverflow.com/questions/2405353
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.
I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?
Edit--
The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.
Solution
How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?
OTHER TIPS
If you are using a Class Based View then you will need to csrf_exempt the dispatch method rather than the post method like this:
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
return super(MyView, self).dispatch(request, *args, **kwargs)
See this bug ticket: https://code.djangoproject.com/ticket/15794
Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.
