312
If you just need some views not to use CSRF, you can use @csrf_exempt:
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view(request):
return HttpResponse('Hello world')
You can find more examples and other scenarios in the Django documentation:
62
In setting.py in MIDDLEWARE you can simply remove/comment this line:
'django.middleware.csrf.CsrfViewMiddleware',
- [Django]-Django-tables2: How to use accessor to bring in foreign columns?
- [Django]-Django CSRF check failing with an Ajax POST request
- [Django]-Copy a database column into another in Django
58
To disable CSRF for class-based views, the following worked for me.
I’m using Django 1.10 and Python 3.5.2
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
@method_decorator(csrf_exempt, name='dispatch')
class TestView(View):
def post(self, request, *args, **kwargs):
return HttpResponse('Hello world')
- [Django]-Celery missed heartbeat (on_node_lost)
- [Django]-Django Rest Framework remove csrf
- [Django]-Django create userprofile if does not exist
46
The problem here is that SessionAuthentication performs its own CSRF validation. That is why you get the CSRF missing error even when the CSRF Middleware is commented.
You could add @csrf_exempt to every view, but if you want to disable CSRF and have session authentication for the whole app, you can add an extra middleware like this –
class DisableCSRFMiddleware(object):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
setattr(request, '_dont_enforce_csrf_checks', True)
response = self.get_response(request)
return response
I created this class in myapp/middle.py
Then import this middleware in Middleware in settings.py
MIDDLEWARE = [
'django.middleware.common.CommonMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware',
'myapp.middle.DisableCSRFMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
That works with DRF on django 1.11
- [Django]-OneToOneField() vs ForeignKey() in Django
- [Django]-Visual Editor for Django Templates?
- [Django]-How to reset Django admin password?
18
For Django 2:
from django.utils.deprecation import MiddlewareMixin
class DisableCSRF(MiddlewareMixin):
def process_request(self, request):
setattr(request, '_dont_enforce_csrf_checks', True)
That middleware must be added to settings.MIDDLEWARE when appropriate (in your test settings for example).
Note: the setting isn’t not called MIDDLEWARE_CLASSES anymore.
- [Django]-Copy a database column into another in Django
- [Django]-TypeError: data.forEach is not a function
- [Django]-Django migration fails with "__fake__.DoesNotExist: Permission matching query does not exist."
13
The answer might be inappropriate, but I hope it helps you
class DisableCSRFOnDebug(object):
def process_request(self, request):
if settings.DEBUG:
setattr(request, '_dont_enforce_csrf_checks', True)
Having middleware like this helps to debug requests and to check csrf in production servers.
- [Django]-Django storages: Import Error – no module named storages
- [Django]-Iterating over related objects in Django: loop over query set or use one-liner select_related (or prefetch_related)
- [Django]-Filtering using viewsets in django rest framework
9
If you want disable it in Global, you can write a custom middleware, like this
from django.utils.deprecation import MiddlewareMixin
class DisableCsrfCheck(MiddlewareMixin):
def process_request(self, req):
attr = '_dont_enforce_csrf_checks'
if not getattr(req, attr, False):
setattr(req, attr, True)
then add this class youappname.middlewarefilename.DisableCsrfCheck to MIDDLEWARE_CLASSES lists, before django.middleware.csrf.CsrfViewMiddleware
- [Django]-Django url tag multiple parameters
- [Django]-Django staticfiles not found on Heroku (with whitenoise)
- [Django]-How to filter objects for count annotation in Django?
5
Before using this solution, please read this link from documentation
I solved this problem with the following two steps:
-
Add this class to an
utils.pyfile:from django.utils.deprecation import MiddlewareMixin from <your-project-name> import settings class DisableCSRF(MiddlewareMixin): def process_request(self, request): if settings.DEBUG: setattr(request, '_dont_enforce_csrf_checks', True) -
And in the
settings.pyfile, add above middleware to theMIDDLEWARElist:... MIDDLEWARE = [ ... 'django.middleware.csrf.CsrfViewMiddleware', ... '<path-of-utils.py>.utils.DisableCSRF', ] ...
- [Django]-Django.db.migrations.exceptions.InconsistentMigrationHistory
- [Django]-Django rest framework change primary key to use a unqiue field
- [Django]-Django datetime issues (default=datetime.now())
1
CSRF can be enforced at the view level, which can’t be disabled globally.
In some cases this is a pain, but um, “it’s for security”. Gotta retain those AAA ratings.
https://docs.djangoproject.com/en/dev/ref/csrf/#contrib-and-reusable-apps
- [Django]-Django 1.3.1 compilemessages. Error: sh: msgfmt: command not found
- [Django]-OneToOneField() vs ForeignKey() in Django
- [Django]-How to access a dictionary element in a Django template?