Reputation: 11523
Django. Ajax. Is it wrong to send the csrf token like this?
I'm wondering if I'm doing it correctly and if it is safe. Usually I send the csrf token on an AJAX request using Jquery like this:
$.ajax({
method: "POST",
...
data: {...'csrfmiddlewaretoken': '{{csrf_token}}'},
});
It works, but the documentation doesn't say anything about doing something like this. What is the difference between this and doing what the documentation recommends (getting the cookie and setting in on the header)?.
Upvotes: 2
Views: 507
Answers (2)
Reputation: 1518
Disadvantages of using context variable over header are:
- You should always include
csrfmiddlewaretokenindata - In general, you cannot store your JS code in separate file, you are restricted to store it in templates.
Django docs provide you with copy-paste js code, you can include in your scripts at project level and forget about csrfmiddlewaretoken
Upvotes: 1
Reputation: 308809
The advantage of reading the value from the cookie then setting the header, is that it is less repetitive. It also works if your ajax request is in a static javascript file (if it's not a Django template then you can't use {{ csrf_token }})
However, if you are happy adding the csrf token to the data of each ajax post request, that is fine, there is no problem doing it that way.
Upvotes: 1
Related Questions
- Django CSRF check failing with an Ajax POST request
- How to get the children of the $(this) selector?
- What is the difference between null=True and blank=True in Django?
- Best way to use Google's hosted jQuery, but fall back to my hosted library on Google fail
- django does not send csrf token again after browser cookies has been cleared
- django/ajax CSRF token missing
- POST AJAX DJANGO 403 forbbiden after adding csrf token
- what's wrong with this method for csrf token with ajax form post in django?
- jQuery AJAX POST skips Django CSRF token header on first call