Having a POST'able API and Django's CSRF Middleware

32
votes

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403.

I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it's an API request and that Django shouldn't be checking for CSRF or is that a bad strategy?

Edit--

The method I'm using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I'm not sure how this would be handled better.

3
djangosecurityapicsrf
since your temporal solution (from last edit) is basically turning off csrf, you can turn off the middleware completely, don't you? :) - Dmitry Shevchenko
It needs to be on for the rest of the site (the front-end portion) - T. Stone

3 Answers

10
votes

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

8
votes

If you are using a Class Based View then you will need to csrf_exempt the dispatch method rather than the post method like this:

@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
    return super(MyView, self).dispatch(request, *args, **kwargs)

See this bug ticket: https://code.djangoproject.com/ticket/15794

-3
votes

Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.