My setup:
- A static website as landing page served via aws S3 (welcome.mydomain.com).
- A django app (django-1.8 with python 2.7) accessible via a subdomain (app.mydomain.com).
I would like to add a contact form which is part of my static website and which sends the contact form info to my django server to be processed. I do not want to add the contact form as a template to my django app because I am using different style sheets and resources and don't want to mix them between the servers. The view processing the form data is just adding this data to an email and sending this to an internal email address.
I get a 403 csrf verification failed error because the form does not include the csrf token.
I could now exempt the view receiving the request from the csrf verification but I am not sure which security risks this poses.
I am not sure if I am not understanding the csrf attacks and dangers or if I am looking at this problem the wrong way. All my searches and all the answers to django-csrf related questions have not helped me so far.
Here are my questions:
- Is there a better way to solve this problem?
- Can I use csrf_exempt without adding any security risks (e.g. by doing extra validations)?