Having a POST'able API and Django's CSRF Middleware

Question

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware compon

Answer 1

If you are using a Class Based View then you will need to csrf_exempt the dispatch method rather than the post method like this:

@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
    return super(MyView, self).dispatch(request, *args, **kwargs)

See this bug ticket: https://code.djangoproject.com/ticket/15794

Answer 2

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

Answer 3

Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.