What is CSRF token in Django?

CSRF stands for Cross Site Request Forgery, and it is said to occurs when a malicious Web site deceives users into unwillingly and unknowingly loading a URL from a site where they've previously been authenticated, thus exploiting their status and also putting the data at risk.

To understand what the CSRF attack exactly is, let us look into an example. Assume you're logged into csrfexample.com's webmail account.

The Log Out button on this webmail site leads to the URL csrfexample.com/logout. That is, all you have to do to log out is visit the page csrfexample.com/logout.

A rogue site can force you to visit csrfexample.com/logout by hiding that URL on its own page, which is almost certainly malicious.

If you're logged into your csrfexample.com account and visit a malicious page with a link to csrfexample.com/logout, you'll be logged out of csrfexample.com.

Obviously, being logged out of a webmail service without your will isn't a terrible security violation, but if the same type of intrusion were to happen to a online banking or an ecommerce site, it can be very dangerous.

Since CSRF is a popular threat, Django offers a simple method to prevent it.

Django CSRF Token

Django features a percent csrf token percent tag that is used to prevent malicious attacks. When generating the page on the server, it generates a token and ensures that any requests coming back in are cross-checked against this token. The token is not included in the incoming requests; thus they are not executed.

The following piece of code is extracted form a word count Django project. In the project Django renders a html page that contains a form which takes the input of text from the user and returns the word count of the text.

In this form, the csrf token is inserted to prevent the attack on this data.

<a href="/home/">My Home</a>
{% csrf_token %} //csrf token inserted here.
<form action="count">
   <textarea cols="50" rows="10" name="FullText"></textarea>
   <input type="submit" value="CountMe"/>

Preventing CSRF Attack

Here are the steps to prevent a csrf attack.

  • The first step is to make sure all GET requests are free of side effects. That way, if a malicious site includes one of your pages as an , it will not have a negative effect.

  • That leaves the POST requests to be attended. So, we move on to the next step.

  • The second step is to give each POST a hidden field whose value is secret and is generated from the user’s session ID.

  • Then, when processing the form on the server side, check for that secret field and raise an error if it does not validate.

To prevent csrf attack Django provides in built middleware.

The django.contrib.csrf package contains only one module: middleware.py. This module contains a Django middleware class, CsrfMiddleware, which implements the CSRF protection.

To activate this CSRF protection, add 'django.contrib.csrf.middleware.CsrfMiddleware' to the MIDDLEWARE_CLASSES setting in your settings file.

This middleware needs to process the response after SessionMiddleware, so CsrfMiddleware must appear before SessionMiddleware in the list. This is because the response middleware is processed last-to-first.

Updated on: 02-Sep-2022

12K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started