Skip to content

Instantly share code, notes, and snippets.

@bengolder
Created December 9, 2014 19:34
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save bengolder/aa9033efc8959dc38e5d to your computer and use it in GitHub Desktop.
Save bengolder/aa9033efc8959dc38e5d to your computer and use it in GitHub Desktop.
Django REST Framework and CSRF protection for ajax posts.
var jQuery = window.$;
// using jQuery
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
var csrftoken = getCookie('csrftoken');
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
module.exports = csrftoken;
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
),
}
@bengolder
Copy link
Author

After looking at lots of confusing StackOverflow threads, I realized that for authentication to work properly on my single page app that uses Django REST Framework for AJAX calls. In short, I needed to use the SessionAuthentication class, and set the X-CSRFToken header on unsafe api calls. I was confused at first because the CSRFMiddleware had already set the csrf token cookie, which was being sent along with the POSTs, but it was looking for a header, not a cookie.

@bengolder
Copy link
Author

The csrf.js above is setup for browserify. It just needs to be imported somewhere for it to run.

@jangia
Copy link

jangia commented Jan 5, 2017

Thanks, this settings part I've been missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment