Do CSRF attacks apply to API's?

Question

In particular, I\'m writing a Django RESTful API to back an iOS application, and I keep running into Django\'s CSRF protections whenever I write methods to deal with POST re

Answer 1

CSRF attacks rely on cookies being implicitly sent with all requests to a particular domain. If your API endpoints do not allow cookie-based authentication, you should be good.

Even if you do use cookie-based authentication, your cookies are safe because iOS apps do not share cookies. However, unless you intentionally block web browsers by requiring an unusual user-agent header, another party could build a browser-based app that uses your API, and that app would be vulnerable to CSRF attacks if your API supports cookie-based authentication and doesn't apply CSRF protection.