Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

Question

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it

I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct?

I guess I don't really understand when it's safe to use this because of this statement:

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

The reason it's confusing is that; to me an "external URL" would be page on that isn't part of my domain (ie, I own www.example.com and put a form that posts to www.spamfoo.com. This obviously can't be the case since people wouldn't use Django for generating forms that post to other people's websites, but how could it be true that you can't use CSRF protection on public forms (like a login form)?

Answer 1

With apologies to not understanding the specific source of your confusion, I'll say that the question you should be asking is when NOT to use CSRF protection. You've already called out this case from the docs:

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

If you are posting a form to your domain, you'll want CSRF protection enabled by default, unless you have a specific reason to disable it (which should be more rare than not).