Reputation: 2195
Django and CSRF protection for mobile apps
I am using Django + Django REST Framework + Django OAuth Toolkit.
I understand that AJAX calls from a web session require CSRF protection, but it is my understanding that mobile apps don’t as the very thing CSRF check are protecting against can’t happen in a dedicated app. If a person has an OAuth token, they are not using our web app so it seems I don’t need to perform CSRF checks in that case.
Is there any way to disable CSRF checks on REST Framework endpoints when a request includes an OAuth token, and if so is this a safe thing to do? Or should all requests be protected by the CSRF mechanism regardless?
Upvotes: 3
Views: 800
Answers (1)
Reputation: 24231
You should probably be using DRF's token authentication with a mobile app. Initially, the user logs in to your backend with a username and password and then the backend issues a token for that instance of the mobile app, which [securely] stores the token locally. With token authentication and the reality of sending your credentials (over SSL/HTTPS) to the server on every request, you obviate the need for a CSRF check and thus no CSRF check is done.
Upvotes: 2
Related Questions
- angular, django and csrf
- CSRF protection on IOS native app registration form?
- csrf protection on mobile devices ( running in cordova)
- django csrf in mobile apps
- Django CSRF protection for mobile apps and chrome extensions
- CSRF verification failed on authorization
- django csrf for api that works with ios apps
- CSRF Protection in Django 1.4
- CSRF protection in Django
- how to use django_csrf for mobile application