Do CSRF attacks apply to API's?

Question

In particular, I\'m writing a Django RESTful API to back an iOS application, and I keep running into Django\'s CSRF protections whenever I write methods to deal with POST re

Answer 1

That's not the purpose of CSRF. CSRF is to prevent direct posting of data to your site. In other words, the client must actually post through an approved path, i.e. view the form page, fill it out, submit the data.

An API pretty much precludes CSRF, because its entire purpose is generally to allow 3rd-party entities to access and manipulate data on your site (the "cross-site" in CSRF). So, yes, I think as a rule any API view should be CSRF exempt. However, you should still follow best practices and protect every API-endpoint that actually makes a change with some form of authentication, such as OAuth.