30👍
Normally when you make a request via a form you want the form being submitted to your view to originate from your website and not come from some other domain. To ensure that this happens, you can put a csrf token in your form for your view to recognize. If you add @csrf_exempt to the top of your view, then you are basically telling the view that it doesn’t need the token. This is a security exemption that you should take seriously.
14👍
The decorator marks a view as being exempt from the protection ensured by the middleware. Example:
from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view(request):
return HttpResponse('Hello world')
- [Django]-Can I set a specific default time for a Django datetime field?
- [Django]-How do I make an auto increment integer field in Django?
- [Django]-What base_name parameter do I need in my route to make this Django API work?
3👍
You should not have to use this unless you know exactly why. A good example where it is used is to build a webhook, that will receive informations from another site via a POST request. You then must be able to receive data even if it has no csrf token, but will be replaced by another system of security. For example, if you use stripe for the subscriptions of your clients, you need to know if a client unsubscribed his account. The webhook will be the way to inform your site, and then cut the access to your service for the unsubscribed client.
- [Django]-Default value for user ForeignKey with Django admin
- [Django]-Function decorators with parameters on a class based view in Django
- [Django]-Is there a way to pass a variable to an 'extended' template in Django?