4👍
I think the problem is that your request only has the CSRF token header, but not the cookie (see the double submit mitigation against CSRF, the header you’re sending should be compared to the cookie).
I don’t quite understand what exactly is happening though. If you elaborate a bit more on where the Angular app is downloaded from and how it gets the CSRF cookie from Django, which is a different origin, I can probably edit this answer to help more. What I don’t get is that if the Angular app is downloaded from port A, from where does it have a CSRF cookie for Django on port B.
Edit:
Ah you’re using CORS. I think you need withCredentials in the jQuery request so that the csrf cookie is sent with the request:
xhrFields: {
withCredentials: true
}
Django then needs to send Access-Control-Allow-Credentials: true I think.