How to disable JANO CSRF authentication?

Question

How to disable JANO CSRF authentication?

I commented on the csrf processor and middleware lines in settings.py :

 122 123 TEMPLATE_CONTEXT_PROCESSORS = ( 124 'django.contrib.auth.context_processors.auth', 125 # 'django.core.context_processors.csrf', 126 'django.core.context_processors.request', 127 'django.core.context_processors.static', 128 'cyathea.processors.static', 129 ) 130 131 MIDDLEWARE_CLASSES = ( 132 'django.middleware.common.CommonMiddleware', 133 'django.contrib.sessions.middleware.SessionMiddleware', 134 # 'django.middleware.csrf.CsrfViewMiddleware', 135 'django.contrib.auth.middleware.AuthenticationMiddleware', 136 'django.contrib.messages.middleware.MessageMiddleware', 137 'django.middleware.locale.LocaleMiddleware', 138 # Uncomment the next line for simple clickjacking protection: 139 # 'django.middleware.clickjacking.XFrameOptionsMiddleware', 140 )

But when I use Ajax to send the request, Django still answers “csrf token is invalid or missing”, and after adding the X-CSRFToken to the headers, the request will be successful.

What's going on here?

+93

python django

MrROY May 09 '13 at 9:07

source share

9 answers

Salvatorelab · Answer 1 · 2013-05-09 09:10

If you just need some views in order not to use CSRF, you can use @csrf_exempt :

 from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view(request): return HttpResponse('Hello world')

Here you can find more examples and other scenarios:

https://docs.djangoproject.com/en/1.9/ref/csrf/#edge-cases

Martijn ten Hoor · Answer 2 · 2016-10-12 07:57

To disable CSRF for class based views, this worked for me.
Using django 1.10 and python 3.5.2

 from django.views.decorators.csrf import csrf_exempt from django.utils.decorators import method_decorator @method_decorator(csrf_exempt, name='dispatch') class TestView(View): def post(self, request, *args, **kwargs): return HttpResponse('Hello world')

Rohit33 · Answer 3 · 2017-03-28 08:36

In the .py setting in MIDDLEWARE, you can simply delete this line, 'Django.middleware.csrf.CsrfViewMiddleware',

naren · Answer 4 · 2015-06-04 08:50

The answer may not be appropriate, but I hope this helps you.

 class DisableCSRFOnDebug(object): def process_request(self, request): if settings.DEBUG: setattr(request, '_dont_enforce_csrf_checks', True)

Having middleware helps you debug requests and check csrf on production servers.

François Constant · Answer 5 · 2017-12-22 13:07

For Django 2 :

 from django.utils.deprecation import MiddlewareMixin class DisableCSRF(MiddlewareMixin): def process_request(self, request): setattr(request, '_dont_enforce_csrf_checks', True)

This middleware should be added to settings.MIDDLEWARE when necessary (for example, in your test settings).

Note: this parameter is no longer called MIDDLEWARE_CLASSES .

Madhuri Gole · Answer 6 · 2017-12-19 14:04

The problem is that SessionAuthentication performs its own CSRF check. This is why you get a missed CSRF error even when CSRF middleware is commented out. You can add @csrf_exempt for each view, but if you want to disable CSRF and have session authentication for the whole application, you can add additional middleware like this -

 class DisableCSRFMiddleware(object): def __init__(self, get_response): self.get_response = get_response def __call__(self, request): setattr(request, '_dont_enforce_csrf_checks', True) response = self.get_response(request) return response

I created this class in myapp / middle.py. Then import this middleware into Middleware in settings.py

 MIDDLEWARE = [ 'django.middleware.common.CommonMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', #'django.middleware.csrf.CsrfViewMiddleware', 'myapp.middle.DisableCSRFMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]

This works with DRF on django 1.11

JJP · Answer 7 · 2017-05-08 07:24

If you want to disable it in Global, you can write your own middleware, for example

 from django.utils.deprecation import MiddlewareMixin class DisableCsrfCheck(MiddlewareMixin): def process_request(self, req): attr = '_dont_enforce_csrf_checks' if not getattr(req, attr, False): setattr(req, attr, True)

then add this class youappname.middlewarefilename.DisableCsrfCheck to the MIDDLEWARE_CLASSES lists before django.middleware.csrf.CsrfViewMiddleware

s29 · Answer 8 · 2015-04-02 05:31

CSRF can be applied at the presentation level, which cannot be disabled globally .

In some cases, it’s a pain, but the mind is "this is for security." Must keep these AAA ratings.

https://docs.djangoproject.com/en/dev/ref/csrf/#contrib-and-reusable-apps

chirag maliwal · Answer 9 · 2017-09-04 10:22

You can disable CSRF to create your own middleware:

Make one django application called "Core" and make one "utils.py" file in this application and put below code in this file:

 class DisableCSRF(object): def process_request(self, request): setattr(request, '_dont_enforce_csrf_checks', True)

And include this middleware in the settings.py file in MIDDLEWARE_CLASSES.

'core.utils'

Another way:

you can use @csrf_exempt decorator

 from django.views.decorators.csrf import csrf_exempt @csrf_exempt

How to disable JANO CSRF authentication?

More articles: