Django CSRF structure cannot be disabled and violates my site

Question

Django CSRF structure cannot be disabled and violates my site

The django csrf tool cannot be disabled. I commented on this from my Middleware of my project, but my logins fail due to the lack of CSRF problems. I work from the trunk of Django. How can CSRF cause problems if it is not included in the middleware?

I need to disable it because there are many POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The "new" CSRF infrastructure from the Django backbone also violates the external site that comes in and POSTs to the URL that I give them (this is part of an unreliable API.) I cannot disable CSRF, as I said earlier, how can I do this to fix?

+54

django csrf

MikeN Oct 30 '09 at 16:38

source share

6 answers

Yes, the Django csrf infrastructure can be disabled.

To manually exclude the view function from any CSRF middleware, you can use the csrf_exempt decorator located in the django.views.decorators.csrf module. For example: ( see Document )

 from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view: return Httpresponse("hello world")

.. and then remove the {% csrf_token %} inside the forms from your template or leave other things unchanged if you did not include them in your forms.

+125

Adriot Jul 08 2018-10-10T00:

source share

You can disable this in middleware.

In your .py settings add a line to MIDDLEWARE_CLASSES:

 MIDDLEWARE_CLASSES = ( myapp.disable.DisableCSRF, )

Create disable.py in myapp with the following

 class DisableCSRF(object): def process_request(self, request): setattr(request, '_dont_enforce_csrf_checks', True)

Basically, if you specified _dont_enforce_csrf_checks in your request, you should be fine.

+81

shreddd Jan 08 2018-11-11T00:

source share

In general, you should not disable CSRF protection, as this opens up security holes. If you insist though ...

A new way to protect CSRF has recently appeared in the trunk. Is your site randomly configured to do it the old way? Here are the docs for The New Way & trade; and here are the docs for The Old Way and Trade; .

+6

Hank Gay Oct 30 '09 at 16:45

source share

I just tried removing the csrf middleware class references from my .py settings, it worked. Not sure if this is acceptable. Any comments? Two lines were deleted below -

  'django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware',

+4

Yateen Nov 13 '10 at 11:23

source share

my django version is 1.11. middleware should look like this:

 from django.utils.deprecation import MiddlewareMixin class DisableCSRF(MiddlewareMixin): def process_request(self, request): setattr(request, '_dont_enforce_csrf_checks', True)

0

blackholll Oct 24 '17 at 10:19 on

source share

Aaron · Accepted Answer · 2010-03-12 10:43

See the answers below for a better solution. Since I wrote this, a lot has changed. Now there are better ways to disable CSRF.

I feel your pain. It is not acceptable for a framework to change such fundamental functionality. Even if I want to start using it from now on, I have outdated sites on the same computer where there is a copy of django. Changes like this require a revision of the version number. 1.x → 2.x.

Anyway, to fix this, I just commented on it and stopped updating Django so often.

File: django / middleware / csrf.py Along line 160:

# check incoming token # request_csrf_token = request.POST.get('csrfmiddlewaretoken', None) # if request_csrf_token != csrf_token: # if cookie_is_new: # # probably a problem setting the CSRF cookie # return reject("CSRF cookie not set.") # else: # return reject("CSRF token missing or incorrect.")

Django CSRF structure cannot be disabled and violates my site

More articles: