7
I think the confusion might be that the CSRF cookie and the HTTP_X_CSRFTOKEN HTTP header exist on opposite sides of the comparison. In other words, to prevent CSRF attacks, Django compares:
CSRF cookie value vs. POST token value (“csrfmiddlewaretoken”)
(or)
CSRF cookie value vs. HTTP header value (“HTTP_X_CSRFTOKEN”)
That’s why the cookie is always necessary. Using the HTTP_X_CSRFTOKEN header is a substitute for setting the token in POST data, not a substitute for the cookie.
2
If you are using jQuery you can create a beforeSend function that includes the csrf token. Django CSRF for more information.
Please be aware that Django looks for the Header X-CSRFToken not HTTP_X_CSRFTOKEN.
At least that was my problem during debugging of the code. (I also checked the django.middleware.csrf.CsrfViewMiddleware for this)
The if csrf_token is None is a extra check done by Django. (Stated from the comment in the if-statement.
No CSRF cookie. For POST requests, we insist on a CSRF cookie,
and in this way we can avoid all CSRF attacks, including login
CSRF.
I think (not sure) there is no single check to only validate the header from a ajax post request,
and Django will do checks to prevent any form of CSRF attacks.
- [Django]-Cannot upload an image in django using ImageField
- [Django]-How to avoid repeated values retrieved from database?
- [Django]-Django – CSS File Not Loading In Production (Debug: False)
- [Django]-Django aggregate average of an annotation sum (1.6.5)