How to disable Django's CSRF validation?

问题:

I have commented out csrf processor and middleware lines in settings.py:

122  123 TEMPLATE_CONTEXT_PROCESSORS = ( 124     'django.contrib.auth.context_processors.auth', 125 #    'django.core.context_processors.csrf', 126     'django.core.context_processors.request', 127     'django.core.context_processors.static', 128     'cyathea.processors.static', 129 ) 130  131 MIDDLEWARE_CLASSES = ( 132     'django.middleware.common.CommonMiddleware', 133     'django.contrib.sessions.middleware.SessionMiddleware', 134 #    'django.middleware.csrf.CsrfViewMiddleware', 135     'django.contrib.auth.middleware.AuthenticationMiddleware', 136     'django.contrib.messages.middleware.MessageMiddleware', 137     'django.middleware.locale.LocaleMiddleware', 138     # Uncomment the next line for simple clickjacking protection: 139     # 'django.middleware.clickjacking.XFrameOptionsMiddleware', 140 ) 

But when I use Ajax to send a request, Django still respond 'csrf token is incorrect or missing', and after adding X-CSRFToken to headers, the request would succeed.

What is going on here ?

回答1:

If you just need some views not to use CSRF, you can use @csrf_exempt:

from django.views.decorators.csrf import csrf_exempt  @csrf_exempt def my_view(request):     return HttpResponse('Hello world') 

You can find more examples and other scenarios here:

• https://docs.djangoproject.com/en/1.9/ref/csrf/#edge-cases

回答2:

To disable CSRF for class based views the following worked for me.
Using django 1.10 and python 3.5.2

from django.views.decorators.csrf import csrf_exempt from django.utils.decorators import method_decorator  @method_decorator(csrf_exempt, name='dispatch') class TestView(View):     def post(self, request, *args, **kwargs):         return HttpResponse('Hello world') 

回答3:

The answer might be inappropriate, but I hope it helps you

class DisableCSRFOnDebug(object):     def process_request(self, request):         if settings.DEBUG:             setattr(request, '_dont_enforce_csrf_checks', True) 

Having middleware like this helps to debug requests and to check csrf in production servers.

回答4:

You can disable the CSRF to make your own middleware:

Make one django app with name 'Core', and make one file 'utils.py' on this app and placed below code on this file :

class DisableCSRF(object):     def process_request(self, request):         setattr(request, '_dont_enforce_csrf_checks', True) 

And include this middleware in your settings.py file in MIDDLEWARE_CLASSES.

'core.utils'

One more way :

you can use @csrf_exempt decorator

from django.views.decorators.csrf import csrf_exempt @csrf_exempt 

回答5:

If you want disable it in Global, you can write a custom middleware, like this

from django.utils.deprecation import MiddlewareMixin  class DisableCsrfCheck(MiddlewareMixin):      def process_request(self, req):         attr = '_dont_enforce_csrf_checks'         if not getattr(req, attr, False):             setattr(req, attr, True) 

then add this class youappname.middlewarefilename.DisableCsrfCheck to MIDDLEWARE_CLASSES lists, before django.middleware.csrf.CsrfViewMiddleware

回答6:

In setting.py in MIDDLEWARE you can simply remove this line, 'django.middleware.csrf.CsrfViewMiddleware',

回答7:

For Django 2:

from django.utils.deprecation import MiddlewareMixin   class DisableCSRF(MiddlewareMixin):     def process_request(self, request):         setattr(request, '_dont_enforce_csrf_checks', True) 

That middleware must be added to settings.MIDDLEWARE when appropriate (in your test settings for example).

Note: the setting isn't not called MIDDLEWARE_CLASSES anymore.