Securing Django AJAX Requests with CSRF Protection
Django's built-in CSRF (Cross-Site Request Forgery) protection, enabled by default when creating a project with django-admin startproject, utilizes a CSRF token to safeguard against malicious requests. This middleware is added to your settings.py.
Every POST request to your Django application requires a valid CSRF token. In Django templates, this is achieved by including {% csrf_token %} within any form using the POST method. However, handling CSRF protection with separate front-end AJAX requests requires a different approach.
This tutorial demonstrates securing a simple Django application with AJAX requests from a separate front-end.
Application Setup
Our example application features two endpoints:
-
GET
/get-picture: Retrieves the URL of an image stored on the server. -
POST
/set-picture: Updates the URL of the image stored on the server.
For simplicity, error handling is omitted. The initial backend code (in urls.py) is as follows:
from django.urls import path
from django.http import JsonResponse
import json
picture_url = "https://picsum.photos/id/247/720/405"
def get_picture(request):
return JsonResponse({"picture_url": picture_url})
def set_picture(request):
if request.method == "POST":
global picture_url
picture_url = json.loads(request.body)["picture_url"]
return JsonResponse({"picture_url": picture_url})
urlpatterns = [
path("get-picture", get_picture),
path("set-picture", set_picture)
]
The corresponding front-end functions (simplified):
// GET request to retrieve the image URL
async function get_picture() {
const res = await fetch("http://localhost:8000/get-picture");
const data = await res.json();
return data.picture_url;
}
// POST request to update the image URL
async function set_picture(picture_url) {
const res = await fetch("http://localhost:8000/set-picture", {
method: "POST",
body: JSON.stringify({ "picture_url": picture_url })
});
}
To handle Cross-Origin Resource Sharing (CORS), we'll use the django-cors-headers package.
Enabling CORS and CSRF Protection
Install django-cors-headers:
pip install django-cors-headers
Configure settings.py:
INSTALLED_APPS = [
"corsheaders",
# ... other apps
]
MIDDLEWARE = [
"corsheaders.middleware.CorsMiddleware",
# ... other middleware
]
CORS_ALLOWED_ORIGINS = ["http://localhost:4040"] # Adjust port as needed
CSRF_TRUSTED_ORIGINS = ["http://localhost:4040"] # Add your frontend origin
While GET requests will now function correctly, POST requests will fail due to CSRF protection. To resolve this, we need to manage CSRF tokens manually.
Fetching and Using the CSRF Token
Create a new view to serve the CSRF token:
from django.views.decorators.csrf import ensure_csrf_cookie
from django.http import JsonResponse
@ensure_csrf_cookie
def get_csrf_token(request):
return JsonResponse({"success": True})
urlpatterns = [
# ... other paths
path("get-csrf-token", get_csrf_token),
]
Update the front-end to fetch the token (using js-cookie):
fetch("http://localhost:8000/get-csrf-token", { credentials: "include" });
The credentials: "include" option ensures the browser handles any Set-Cookie headers, storing the csrftoken cookie. Inspect the network tab in your browser's developer tools to verify the cookie is set.
Modifying the POST Request
Finally, modify the set_picture function to include the CSRF token in the header:
async function set_picture(picture_url) {
const res = await fetch("http://localhost:8000/set-picture", {
method: "POST",
credentials: "include",
headers: {
'X-CSRFToken': Cookies.get("csrftoken")
},
body: JSON.stringify({ "picture_url": picture_url })
});
}
This adds the X-CSRFToken header with the value from the csrftoken cookie, enabling successful POST requests.
Important Considerations
This approach has limitations, especially when deploying the front-end and back-end on different domains. Browser security policies may prevent the setting or accessing of third-party cookies, impacting CSRF token management.
Resources
- Django CSRF Documentation
- Django CSRF Reference
- CORS Documentation
- django-cors-headers
- Django CSRF_TRUSTED_ORIGINS
- Source Code
The above is the detailed content of Using CSRF Protection with Django and AJAX Requests. For more information, please follow other related articles on the PHP Chinese website!
Learning Python: Is 2 Hours of Daily Study Sufficient?Apr 18, 2025 am 12:22 AMIs it enough to learn Python for two hours a day? It depends on your goals and learning methods. 1) Develop a clear learning plan, 2) Select appropriate learning resources and methods, 3) Practice and review and consolidate hands-on practice and review and consolidate, and you can gradually master the basic knowledge and advanced functions of Python during this period.
Python for Web Development: Key ApplicationsApr 18, 2025 am 12:20 AMKey applications of Python in web development include the use of Django and Flask frameworks, API development, data analysis and visualization, machine learning and AI, and performance optimization. 1. Django and Flask framework: Django is suitable for rapid development of complex applications, and Flask is suitable for small or highly customized projects. 2. API development: Use Flask or DjangoRESTFramework to build RESTfulAPI. 3. Data analysis and visualization: Use Python to process data and display it through the web interface. 4. Machine Learning and AI: Python is used to build intelligent web applications. 5. Performance optimization: optimized through asynchronous programming, caching and code
Python vs. C : Exploring Performance and EfficiencyApr 18, 2025 am 12:20 AMPython is better than C in development efficiency, but C is higher in execution performance. 1. Python's concise syntax and rich libraries improve development efficiency. 2.C's compilation-type characteristics and hardware control improve execution performance. When making a choice, you need to weigh the development speed and execution efficiency based on project needs.
Python in Action: Real-World ExamplesApr 18, 2025 am 12:18 AMPython's real-world applications include data analytics, web development, artificial intelligence and automation. 1) In data analysis, Python uses Pandas and Matplotlib to process and visualize data. 2) In web development, Django and Flask frameworks simplify the creation of web applications. 3) In the field of artificial intelligence, TensorFlow and PyTorch are used to build and train models. 4) In terms of automation, Python scripts can be used for tasks such as copying files.
Python's Main Uses: A Comprehensive OverviewApr 18, 2025 am 12:18 AMPython is widely used in data science, web development and automation scripting fields. 1) In data science, Python simplifies data processing and analysis through libraries such as NumPy and Pandas. 2) In web development, the Django and Flask frameworks enable developers to quickly build applications. 3) In automated scripts, Python's simplicity and standard library make it ideal.
The Main Purpose of Python: Flexibility and Ease of UseApr 17, 2025 am 12:14 AMPython's flexibility is reflected in multi-paradigm support and dynamic type systems, while ease of use comes from a simple syntax and rich standard library. 1. Flexibility: Supports object-oriented, functional and procedural programming, and dynamic type systems improve development efficiency. 2. Ease of use: The grammar is close to natural language, the standard library covers a wide range of functions, and simplifies the development process.
Python: The Power of Versatile ProgrammingApr 17, 2025 am 12:09 AMPython is highly favored for its simplicity and power, suitable for all needs from beginners to advanced developers. Its versatility is reflected in: 1) Easy to learn and use, simple syntax; 2) Rich libraries and frameworks, such as NumPy, Pandas, etc.; 3) Cross-platform support, which can be run on a variety of operating systems; 4) Suitable for scripting and automation tasks to improve work efficiency.
Learning Python in 2 Hours a Day: A Practical GuideApr 17, 2025 am 12:05 AMYes, learn Python in two hours a day. 1. Develop a reasonable study plan, 2. Select the right learning resources, 3. Consolidate the knowledge learned through practice. These steps can help you master Python in a short time.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Dreamweaver CS6
Visual web development tools
Atom editor mac version download
The most popular open source editor
Zend Studio 13.0.1
Powerful PHP integrated development environment
SublimeText3 Mac version
God-level code editing software (SublimeText3)
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
