I'm following the Django guide on Show me to do. But I have a question:
If I just copy his code I gen an
Forbidden (403) CSRF verification failed. Request aborted.
I've solved that problem by adding
context_instance=RequestContext(request)
to all "my" return render_to_response and by adding the tag {% csrf_token %} to the form I'm calling.
Here it comes the question: Can I in any way set this up to be invoked "behind the sceenes" or do I have to add this to all my forms?
CSRF is an important security concept AFAIK.
You either have to set csrf_token [which would set a hidden post parameter] to all forms which uses post, put or delete request or You can use X-CSRFToken header as well. You can use render shortcut rather than render_to_response to include RequestContext by default. See:
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
There is a way to completely avoid CSRF checks by removing middleware or using a decorator
. But I would recommend against this.
