How to disable Django's CSRF validation?

Question

I have commented out csrf processor and middleware lines in settings.py:

122 
123 TEMPLATE_CONTEXT_PROCESSORS = (
124     'django.contrib.auth.context_processors.auth',
125 #    'django.core.context_processors.csrf',
126     'django.core.context_processors.request',
127     'django.core.context_processors.static',
128     'cyathea.processors.static',
129 )
130 
131 MIDDLEWARE_CLASSES = (
132     'django.middleware.common.CommonMiddleware',
133     'django.contrib.sessions.middleware.SessionMiddleware',
134 #    'django.middleware.csrf.CsrfViewMiddleware',
135     'django.contrib.auth.middleware.AuthenticationMiddleware',
136     'django.contrib.messages.middleware.MessageMiddleware',
137     'django.middleware.locale.LocaleMiddleware',
138     # Uncomment the next line for simple clickjacking protection:
139     # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
140 )

But when I use Ajax to send a request, Django still respond 'csrf token is incorrect or missing', and after adding X-CSRFToken to headers, the request would succeed.

What is going on here ?

Possible duplicate : http://stackoverflow.com/questions/1650941/django-csrf-framework-cannot-be-disabled-and-is-breaking-my-site — Rohan, May 09 '13 at 09:12

score 286 · Answer 1 · edited Oct 01 '19 at 16:36

286

If you just need some views not to use CSRF, you can use @csrf_exempt:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

You can find more examples and other scenarios in the Django documentation:

https://docs.djangoproject.com/en/dev/ref/csrf/#edge-cases

edited Oct 01 '19 at 16:36

Lutz Prechelt

32,748
7
56
83

answered May 09 '13 at 09:10

Salvatorelab

11,133
6
52
75

3

Hi, @TheBronx, I really want to know why my solution doesn't work. – WoooHaaaa May 09 '13 at 09:15
1

sorry @MrROY I don't know why your solution is not working. I just know that `@csrf_exemp` works as I've used it recently without problems. Hope you find the answer. – Salvatorelab May 09 '13 at 09:52
7

@MrROY, It is a Django thing. Most things do work/doesn't work just because there is a magic setting buried deep down the code base. – idursun Aug 01 '13 at 10:15
3

A reminder: if you have other decorators in the same view the order is relevant: so place @csrf_exempt first. – Patrick Bassut Dec 13 '13 at 18:53
4

Hmm- maybe a technically correct answer, but most certainly not what the OP wanted or what I was looking for. – Danny Staple Aug 19 '14 at 12:58
And what do I do if I need *all* views not to use CSRF? – jameshfisher Feb 10 '15 at 15:02

score 53 · Answer 2 · edited Nov 20 '21 at 03:27

53

To disable CSRF for class-based views, the following worked for me.

I'm using Django 1.10 and Python 3.5.2

from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt

@method_decorator(csrf_exempt, name='dispatch')
class TestView(View):
    def post(self, request, *args, **kwargs):
        return HttpResponse('Hello world')

edited Nov 20 '21 at 03:27

ggorlen

33,459
6
59
67

answered Oct 12 '16 at 07:57

Martijn ten Hoor

684
5
5

score 50 · Answer 3 · edited Oct 07 '18 at 05:40

50

In setting.py in MIDDLEWARE you can simply remove/comment this line:

'django.middleware.csrf.CsrfViewMiddleware',

edited Oct 07 '18 at 05:40

Santosh Kumar

24,301
18
65
110

answered Mar 28 '17 at 08:36

Rohit33

641
5
3

1

this works for me on Django 2.1 using curl as an http client. – clay Mar 19 '19 at 15:35
2

@xtrinch Make sure you fully quit/re-launch the server process. I don't think the auto-relaod picks up the change – Basic Apr 07 '19 at 22:23
Django `3.2.9` does not require me to restart the server (`python manage.py runserver` command) – Enrique René Dec 30 '21 at 17:30

score 22 · Answer 4 · answered Dec 19 '17 at 14:04

The problem here is that SessionAuthentication performs its own CSRF validation. That is why you get the CSRF missing error even when the CSRF Middleware is commented. You could add @csrf_exempt to every view, but if you want to disable CSRF and have session authentication for the whole app, you can add an extra middleware like this -

class DisableCSRFMiddleware(object):

def __init__(self, get_response):
    self.get_response = get_response

def __call__(self, request):
    setattr(request, '_dont_enforce_csrf_checks', True)
    response = self.get_response(request)
    return response

I created this class in myapp/middle.py Then import this middleware in Middleware in settings.py

MIDDLEWARE = [
    'django.middleware.common.CommonMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    #'django.middleware.csrf.CsrfViewMiddleware',
    'myapp.middle.DisableCSRFMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',

]

That works with DRF on django 1.11

Thank you for actually giving an answer to the question instead of just posting a solution. — ThaJay, Dec 14 '18 at 15:44
I followed your solution but I get this error: ```'str' object has no attribute 'get'```. My django version is 3.2.6 though. @Madhuri — Maisum Abbas, Aug 17 '21 at 10:06

score 17 · Answer 5 · answered Dec 22 '17 at 13:07

For Django 2:

from django.utils.deprecation import MiddlewareMixin


class DisableCSRF(MiddlewareMixin):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)

That middleware must be added to settings.MIDDLEWARE when appropriate (in your test settings for example).

Note: the setting isn't not called MIDDLEWARE_CLASSES anymore.

score 12 · Answer 6 · answered Jun 04 '15 at 08:50

12

The answer might be inappropriate, but I hope it helps you

class DisableCSRFOnDebug(object):
    def process_request(self, request):
        if settings.DEBUG:
            setattr(request, '_dont_enforce_csrf_checks', True)

Having middleware like this helps to debug requests and to check csrf in production servers.

answered Jun 04 '15 at 08:50

naren

13,825
5
37
44

Hmm. Tried this in Django 1.9.1. Removed the @csrf_exempt decorator from the method and added the code above. Got a 403 because the cookie was not set. – Craig S. Anderson Feb 05 '16 at 01:58

JJP · Answer 7 · 2017-05-11T02:56:16.827

If you want disable it in Global, you can write a custom middleware, like this

from django.utils.deprecation import MiddlewareMixin

class DisableCsrfCheck(MiddlewareMixin):

    def process_request(self, req):
        attr = '_dont_enforce_csrf_checks'
        if not getattr(req, attr, False):
            setattr(req, attr, True)

then add this class youappname.middlewarefilename.DisableCsrfCheck to MIDDLEWARE_CLASSES lists, before django.middleware.csrf.CsrfViewMiddleware

s29 · Answer 8 · 2015-04-02T05:40:17.327

1

CSRF can be enforced at the view level, which can't be disabled globally.

In some cases this is a pain, but um, "it's for security". Gotta retain those AAA ratings.

https://docs.djangoproject.com/en/dev/ref/csrf/#contrib-and-reusable-apps

edited Apr 02 '15 at 05:40

answered Apr 02 '15 at 05:31

s29

1,947
23
18

Saeed · Answer 9 · 2022-01-17T03:29:17.090

Before using this solution, please read this link from documentation

I solved this problem with the following two steps:

Add this class to an utils.py file:

from <your-project-name> import settings
class DisableCSRF(MiddlewareMixin):
   def process_request(self, request):
      if settings.DEBUG:
         setattr(request, '_dont_enforce_csrf_checks', True)

And in the settings.py file, add above middleware to the MIDDLEWARE list:

...
MIDDLEWARE = [
    ...
    'django.middleware.csrf.CsrfViewMiddleware',
    ...
    '<path-of-utils.py>.utils.DisableCSRF',
]
...

How to disable Django's CSRF validation?

9 Answers9

Before using this solution, please read this link from documentation

Linked