Do CSRF attacks apply to API's?

Question

In particular, I\'m writing a Django RESTful API to back an iOS application, and I keep running into Django\'s CSRF protections whenever I write methods to deal with POST re

Answer 1

They do apply if you're also using your API to support a website.

In this case you still need some form of CSRF protection to prevent someone embedding requests in other sites to have drive-by effects on an authenticated user's account.

Chrome seems to deny cross-origin POST requests by default (other browsers may not be so strict), but allows GET requests cross-origin so you must make sure any GET requests in your API don't have side-effects.