Having a POST'able API and Django's CSRF Middleware

Question

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.

I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?

Edit--

The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.

since your temporal solution (from last edit) is basically turning off csrf, you can turn off the middleware completely, don't you? :) — Dmitry Shevchenko, Mar 08 '10 at 23:26
It needs to be on for the rest of the site (the front-end portion) — T. Stone, Mar 08 '10 at 23:44

score 10 · Accepted Answer · edited Mar 03 '14 at 09:04

10

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

edited Mar 03 '14 at 09:04

FallenAngel

15,966
10
78
105

answered Mar 09 '10 at 00:20

Brian Luft

1,143
8
12

6

That is exactly the setup but `csrf_exempt` doesn't seem to make a difference. It still gives a 403 with that decorator. +1 because according to the doc this should be working, even though it's not. – T. Stone Mar 09 '10 at 00:41
3

This is ONLY valid if the API can't be accessed through the browser. Otherwise this is potentially super dangerous as a request could then be forged from another site, against the API. – Jonatan Littke May 21 '12 at 12:03

score 8 · Answer 2 · answered Jan 17 '13 at 12:25

If you are using a Class Based View then you will need to csrf_exempt the dispatch method rather than the post method like this:

@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
    return super(MyView, self).dispatch(request, *args, **kwargs)

See this bug ticket: https://code.djangoproject.com/ticket/15794

score -3 · Answer 3 · answered Sep 06 '10 at 15:06

-3

Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.

answered Sep 06 '10 at 15:06

Alex Morega

3,786
1
20
24

2

Hm, that's not true, is it? In the link you provided, it does say you need to add an extra header for AJAX to work, not that it works automatically. – Jonatan Littke May 21 '12 at 11:51

Having a POST'able API and Django's CSRF Middleware

3 Answers3

Linked