quqa123
Reputation: 675
Is it safe to pass csrf_token directly to ajax post data?
I have a concern about the safety of using Django's {{ csrf_token }} in an ajax call stated in a template. Consider the case below:
function set_sensitive_data() {
$.ajax({
url: "{% url 'some_sensitive_view' %}",
method: "POST",
data:{
'csrfmiddlewaretoken': "{{ csrf_token }}",
'sensitive_data': "{{ some_data }}"
},
});
}
It works perfectly fine but is there any particular reason why I shouldn't do it this way? I've read Django docs and know that preferred way is to use cookies but that's not my case and I'm not asking about other solutions - I just want to know if this way is unsafe and if so then why?
Upvotes: 0
Views: 172
Answers (1)
Aayush Agrawal
Reputation: 1394
This is fine. The CSRF token is not reusable and the token is still encrypted in transit as long as you're using HTTPS.
Upvotes: 2
Related Questions
- Is exposing a session's CSRF-protection token safe?
- send csrf_token in JSON request (no ajax)
- Django: How to send csrf_token with Ajax
- django sending AJAx POST request using classical javascript into server with csrf_token, how to?
- django-csrf protection on ajax post
- AJAX: form.serialize() and csrf token together?
- CSRF token AJAX based post in a Django Project
- Django. Ajax. Is it wrong to send the csrf token like this?
- what's wrong with this method for csrf token with ajax form post in django?
- csrf with ajax and django post