Reputation: 9535
CSRF exempt for iphone Posting to Django site
I have a web form that is used by users to post onto my site. I would like to use the same django view to handle post requests made by the iPhone. Since i have CSRF middleware set in Django, the iPhone app cannot post. I read a few posts and they mention to make csrf exempt for the particular view. Is this the standard solution? Does that mean all sites that allow users to post via iphone are vulnerable to csrf attacks?
Upvotes: 0
Views: 813
Answers (1)
Reputation: 6259
Any form that can be posted by a machine (e.g. an iOS App) is susceptible to CSRF.
There's no way around it. If you can code it in Objective-C someone else can code it in JS.
The "standard" way to solve this problem would be to create a separate API for the iPhone to use. Users fill out the form and send it. The iPhone talks directly to the dedicated API and circumvents the form altogether.
To secure the iPhone API from unauthorized access you have two main options:
1) Send the API requests over HTTPS and password protect them
2) Embed an SSL certificate in your APP and do an SSL handshake with two-way authentication between the device and the server.
Upvotes: 2
Related Questions
- Django forms with CSRF protection in IOS 14+
- Set django.contrib.auth.views.login as csrf_exempt
- How do I generate a Django CSRF key for my iPhone and Android apps that want to send a POST request?
- Adding csrf_token to my post request from iPhone app
- CSRF Token in Django and iOS
- POST with CSRF token to Django Server from iOS
- CSRF protection on IOS native app registration form?
- django csrf for api that works with ios apps
- How would I authenticate and make requests from an iPhone app to a Django backend to get around CSRF?
- iPhone POSTing to Django and gets CSRF verification failed