{"id":127,"date":"2025-04-03T17:07:09","date_gmt":"2025-04-03T17:07:09","guid":{"rendered":"https:\/\/kingstatue.com\/?p=127"},"modified":"2025-04-03T17:07:09","modified_gmt":"2025-04-03T17:07:09","slug":"how-cross-site-request-forgery-csrf-token-works","status":"publish","type":"post","link":"https:\/\/www.kingstatue.com\/?p=127","title":{"rendered":"How Cross-Site Request Forgery (CSRF) token works?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>CSRF Protection in Django<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Django includes built-in CSRF protection using middleware (<code>django.middleware.csrf.CsrfViewMiddleware<\/code>) which is included in the settings.py file of a django project.<\/li>\n\n\n\n<li>When a user loads a page with a form, Django generates a <strong>unique CSRF token<\/strong> for the session.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Embedding the Token in Forms<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <code>{% csrf_token %}<\/code> tag is placed inside <code>&lt;form><\/code> elements in Django templates.<\/li>\n\n\n\n<li>It renders a hidden <code>&lt;input><\/code> field containing the CSRF token.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;form method=\"POST\">\n    {% csrf_token %}\n    &lt;input type=\"text\" name=\"username\">\n    &lt;input type=\"submit\" value=\"Submit\">\n&lt;\/form>\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After rendering, it becomes:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;input type=\"hidden\" name=\"csrfmiddlewaretoken\" value=\"some_random_token\"><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Verification on the Server<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When the form is submitted, Django checks the CSRF token sent in the request against the one stored in the user&#8217;s session.<\/li>\n\n\n\n<li>If they match, the request is processed; otherwise, Django <strong>rejects<\/strong> the request with a <strong>403 Forbidden<\/strong> error.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When is <code>{% csrf_token %}<\/code> Required?<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always use <code>{% csrf_token %}<\/code> in <strong>HTML forms that use <code>POST<\/code> requests<\/strong>.<\/li>\n\n\n\n<li>Not needed for <code>GET<\/code> requests since they don\u2019t modify data.<\/li>\n\n\n\n<li>Necessary in AJAX requests that modify data (e.g., <code>POST<\/code>, <code>PUT<\/code>, <code>DELETE<\/code>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CSRF Protection in AJAX Requests:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If using JavaScript (e.g., jQuery) for AJAX requests:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$.ajax({\n    url: \"\/submit\/\",\n    type: \"POST\",\n    headers: { \"X-CSRFToken\": getCookie(\"csrftoken\") }, \/\/ Send CSRF token in headers\n    data: { username: \"john\" }\n});<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Summary:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>{% csrf_token %}<\/code> prevents CSRF attacks by embedding a unique token in forms.<\/li>\n\n\n\n<li>Django validates the token before processing POST requests.<\/li>\n\n\n\n<li>Essential for security in web applications handling form submissions.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>CSRF Protection in Django Embedding the Token in Forms After rendering, it becomes: Verification on the Server When is {% csrf_token %} Required? CSRF Protection in AJAX Requests: If using&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[43,48,72],"class_list":["post-127","post","type-post","status-publish","format-standard","hentry","category-django","tag-csrf_token","tag-django","tag-security"],"_links":{"self":[{"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=127"}],"version-history":[{"count":0,"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=\/wp\/v2\/posts\/127\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kingstatue.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}