0👍
✅
As per the Django docs:
If [
CSRF_COOKIE_HTTPONLY] is set to True, client-side JavaScript will not be able to access the CSRF cookie.Designating the CSRF cookie as HttpOnly doesn’t offer any practical protection because CSRF is only to protect against cross-domain attacks. If an attacker can read the cookie via JavaScript, they’re already on the same domain as far as the browser knows, so they can do anything they like anyway. (XSS is a much bigger hole than CSRF.)
Just set CSRF_COOKIE_HTTPONLY = False (or remove it from settings altogether, as that is the default) and you should be able to access it from JavaScript.
Source:stackexchange.com