Reputation: 186
Django Rendering Forms Manually and using csfr token
I think I am slowly getting the hang of Django, but am relatively new and self taught at programming. I have been using form.as_p and form_ul in templates, but wanted to get a better understanding of how to make them look better. I looked at the Django documentation of how to manually render forms. That seems to work as advertised, and I can show the individual fields etc. on my html page. However in the documentation this is highlighted:
Forms and Cross Site Request Forgery protection Django ships with an easy-to-use protection against Cross Site Request Forgeries. When submitting a form via POST with CSRF protection enabled you must use the csrf_token template tag as in the preceding example. However, since CSRF protection is not directly tied to forms in templates, this tag is omitted from the following examples in this document.
I don't think I understand what is meant by the last line. I assume it means that I can render the form all I want, but unless there is a Post request being made I don't need a CSRF token.
Is there an example of how to manually render forms with post requests and CSRF tokens?
I am also assuming that when I am writing forms in html that since they are not interacting with the model and database that no CSRF is needed? Is that because the vulnerability of concern is usually injecting something unwanted into the database?
I looked at some of the other Django CSRF documentation and got a little bit of an idea of how the middleware is needed to implement CSRF protection, but I think it assumes some more detailed background knowledge than I have. Any suggestions for a something to read to learn more to get a better understanding POSTs and CSRF and I guess cookies etc.
Upvotes: 2
Views: 980
Answers (1)
Reputation: 4818
I assume it means that I can render the form all I want, but unless there is a Post request being made I don't need a CSRF token.
Yes, CSRF token is required for PUT and POST requests. It is not required for GET requests. But you should NOT use GET to send form data.
CSRF token is not a property of forms. This token is used by application to validate requests coming from client.
Is there an example of how to manually render forms with post requests and CSRF tokens?
As explained in docs, It is pretty straight forward.
<form action="{% url "submit-form-url-name" %}" method="post" accept-charset="utf-8">
{% csrf_token %}
{{ form.field1 }}
{{ form.field2 }}
...
</form>
Is that because the vulnerability of concern is usually injecting something unwanted into the database?
CSRF token is generated on the server side. It is attached to user's session and is used to validate user requests. If user is sending some form data to server with aim to persist that data in database/file/cache, it is a good practice to validate if that request is really coming from a valid user only.
...got a little bit of an idea of how the middleware is needed to implement CSRF protection...
Django provides a default CSRF middleware, and it is pretty easy to configure, and use.
Note that, CSRF is no more an OWASP top 10 security concern. It used to be though earlier.
Upvotes: 2
Related Questions
- csrf_token problem django
- Django CSRF verification failed even after adding csrf_token tag inside the form html
- Django- CSRF and POSTing an Html form
- Django Form csrf_token
- Using forms with the Django outputs the token
- How to add csrf_token to manually created HTML form?
- Django only submitting csrf token in forms?
- CSRF token missing or incorrect in Django form
- Python - render with csrf protection
- Django troubles with forms and csrf tokens