Reputation: 2067
Handling CSRF token when working with Django Rest Framework JWT
Having the JWT token required for every request to the API, should I keep CSRF protection? Considering no one has access to other's jwtoken, of course.
If yes, how could I get the csrf token since I don't use django templates (I'm using Vue separately).
If not, is it ok to completely delete the CSRF middleware from settings?
Thanks in advance.
Upvotes: 2
Views: 2049
Answers (2)
Reputation: 133
If you are storing the JWT in localStorage, you are not vulnerable to CSRF because localStorage cannot be accessed across domains. You should be aware, however, that there is debate as to whether it is wise to keep a JWT in localStorage since it can be stolen if you fall victim to XSS. The alternative is to store the token in a httpOnly cookie, in which case you must use CSRF protection.
Upvotes: 1
Reputation: 649
If you're using Django, csrf_token will be in your site cookies.
You can access it from cookies and pass it along with the request.
Upvotes: 1
Related Questions
- How to use csrf_token in Django RESTful API and React?
- How do you implement CSRF tokens in django rest framework?
- How to Handle CSRFToken Authenticity with Django REST and React.js Relation?
- csrf_token of Django into Vuejs when seperate them
- How to pass a CSRF token safely to a separate VueJS frontend?
- Laravel frontend to Django backend x-csrf-token not allowed in preflight response
- Token Authentication In Django Restframework Using Django-rest-auth
- csrf token issue from Vuex to Django API backend
- Django Rest Framework, CSRF and Vue.js
- How does one ignore CSRF tokens sent to Django REST Framework?