2👍
Use the @ensure_csrf_cookie decorator.
From docs:
Page uses AJAX without any HTML form¶
A page makes a POST request via AJAX, and the page does not have an HTML >form with a csrf_token that would cause the required CSRF cookie to be >sent.
Solution: use ensure_csrf_cookie() on the view that sends the page.
Source:stackexchange.com