Is exposing a session's CSRF-protection token safe?

Question

Django comes with CSRF protection middleware, which generates a unique per-session token for use in forms. It scans all incoming POST requests for the correct t

Answer 1

If you know you're going to need the CSRF token for AJAX requests, you can always embed it in the HTML somewhere; then you can find it through Javascript by traversing the DOM. This way, you'll still have access to the token, but you're not exposing it via an API.

To put it another way: do it through Django's templates -- not through the URL dispatcher. It's much more secure this way.