DEV Community: Md Sujauddin Sekh The latest articles on DEV Community by Md Sujauddin Sekh (@sujaudd1n). https://dev.to/sujaudd1n https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2668785%2F1f78b470-93cc-4a9d-945e-dbcb80912286.jpg DEV Community: Md Sujauddin Sekh https://dev.to/sujaudd1n en Using CSRF Protection with Django and AJAX Requests Md Sujauddin Sekh Tue, 07 Jan 2025 09:20:52 +0000 https://dev.to/sujaudd1n/using-csrf-protection-with-django-and-ajax-requests-b17 https://dev.to/sujaudd1n/using-csrf-protection-with-django-and-ajax-requests-b17 <h3> Using CSRF Protection with Django and AJAX Requests </h3> <p>Django has built-in support for protection against CSRF by using a CSRF token.<br> It's enabled by default when you scaffold your project using the <code>django-admin<br> startproject &lt;project&gt;</code> command, which adds a middleware in <strong>settings.py</strong>.</p> <p>Every POST request to your Django app must contain a CSRF token. In a Django<br> template, you do this by adding <code>{% csrf_token %}</code> to any form that uses the<br> POST method.</p> <p>Let's see how that can be done with AJAX from a frontend that is separate from<br> Django.</p> <h3> Setup </h3> <p>To show how it's done, we will build a simple app. In the backend, there is a<br> URL of a picture; a GET request will get the picture and a POST request will set<br> a new URL. The app has no error handling and such things in the frontend or<br> backend for simplicity.</p> <p>Right now it has two endpoints:</p> <ul> <li>GET <code>/get-picture</code> - gets the URL of an image stored in the server</li> <li>POST <code>/set-picture</code> - sets the URL of an image stored in the server</li> </ul> <p>And initially the backend code looks like this. I have written all the code in<br> <code>urls.py</code> just to make everything simple.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.urls</span> <span class="kn">import</span> <span class="n">path</span><span class="p">,</span> <span class="n">include</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">JsonResponse</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">picture_url</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://picsum.photos/id/247/720/405</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">get_picture</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="n">picture_url</span><span class="p">)</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">picture_url</span><span class="sh">"</span><span class="p">:</span> <span class="n">picture_url</span><span class="p">})</span> <span class="k">def</span> <span class="nf">set_picture</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="k">global</span> <span class="n">picture_url</span> <span class="n">picture_url</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">body</span><span class="p">)[</span><span class="sh">"</span><span class="s">picture_url</span><span class="sh">"</span><span class="p">]</span> <span class="n">picture_url</span> <span class="o">=</span> <span class="n">picture_url</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">picture_url</span><span class="sh">"</span><span class="p">:</span> <span class="n">picture_url</span><span class="p">})</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">path</span><span class="p">(</span><span class="sh">"</span><span class="s">get-picture</span><span class="sh">"</span><span class="p">,</span> <span class="n">get_picture</span><span class="p">),</span> <span class="nf">path</span><span class="p">(</span><span class="sh">"</span><span class="s">set-picture</span><span class="sh">"</span><span class="p">,</span> <span class="n">set_picture</span><span class="p">)</span> <span class="p">]</span> </code></pre> </div> <p>Now, for the frontend I'm showing you only the main functions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// Get the picture my making a GET request</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">get_picture</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:8000/get-picture</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">picture_url</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">picture_url</span><span class="p">;</span> <span class="k">return</span> <span class="nx">picture_url</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Tries to set the picture_url with a POST request</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">set_picture</span><span class="p">(</span><span class="nx">picture_url</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:8000/set-picture</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="dl">"</span><span class="s2">picture_url</span><span class="dl">"</span><span class="p">:</span> <span class="nx">picture_url</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>And for CORS reasons, you need to set up CORS in the backend, or else you can't<br> make a request. Without CORS configuration in the backend, you will get an error<br> like this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8000/get-picture. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200. </span></code></pre> </div> <p>To fix this, we have to add some headers to the responses. To do this, we will<br> use the <code>django-cors-headers</code> package.</p> <p>Install and configure <code>django-cors-headers</code> package.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">pip install django-cors-headers </span></code></pre> </div> <p>Configure in settings.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">corsheaders</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># and more ... </span><span class="p">]</span> <span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">corsheaders.middleware.CorsMiddleware</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># and more... </span><span class="p">]</span> <span class="n">CORS_ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:4040</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># change the port if you use port other than 4040 </span></code></pre> </div> <p>Now everything for the GET request will work fine. But if you try to set the<br> picture URL, in the backend you will see this error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Forbidden (Origin checking failed - http://localhost:4040 does not match any trusted origins.): /set-picture [06/Jan/2025 13:10:47] "POST /set-picture HTTP/1.1" 403 2554 </span></code></pre> </div> <p>And this is what we will fix.</p> <h3> Configure CSRF Protection </h3> <p>As your frontend is separate from Django, you need to manually ask for a CSRF<br> token. Django will send the token as a cookie by attaching it in the<br> <code>Set-Cookie</code> headers in the response. The token will be saved in your browser<br> cookie named <code>csrftoken</code>.</p> <p>First add you frontend URL to <code>CSRF_TRUSTED_ORIGINS</code> in settings.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">CSRF_TRUSTED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:4040</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p>Create a new view to return the CSRF token as a cookie.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.views.decorators.csrf</span> <span class="kn">import</span> <span class="n">ensure_csrf_cookie</span> <span class="nd">@ensure_csrf_cookie</span> <span class="k">def</span> <span class="nf">get_csrf_token</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="k">return</span> <span class="nc">JsonResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> <span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># more..., </span> <span class="nf">path</span><span class="p">(</span><span class="sh">"</span><span class="s">get-csrf-token</span><span class="sh">"</span><span class="p">,</span> <span class="n">get_csrf_token</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>Now, we have a way to get the CSRF token from the backend. To, get the token in<br> the frontend add the following code in your backend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:8000/get-csrf-token</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <p>It makes a request to get a token. With <code>credentials: "include"</code> it tells the<br> browser that if the response header contains any <code>Set-Cookie</code> header, it should<br> obey that instruction. If you remove the <code>credentails</code> property, the cookie<br> won't be set.</p> <p>If you are curious, look at the network in browser console and check the<br> headers. You will see a header similar to this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Set-Cookie: csrftoken=cyjpe3i9Nrq4yTFfnHjY3n5ekfo7blcu; expires=Mon, 05 Jan 2026 13:22:51 GMT; Max-Age=31449600; Path=/; SameSite=Lax </code></pre> </div> <h3> Modify the set-picture function </h3> <p>Now the only thing we have to do is to send the CSRF token with the set-picture<br> POST call. Modify the <code>set_picture</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">set_picture</span><span class="p">(</span><span class="nx">picture_url</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:8000/set-picture</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">post</span><span class="dl">"</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRFToken</span><span class="dl">'</span><span class="p">:</span> <span class="nx">Cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">csrftoken</span><span class="dl">"</span><span class="p">)</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="dl">"</span><span class="s2">picture_url</span><span class="dl">"</span><span class="p">:</span> <span class="nx">picture_url</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>We need to add an <code>X-CSRFToken</code> header, and its value will be the value of the<br> <code>csrftoken</code> cookie. To get the cookie, the js-cookie library has been used.</p> <p>Now the POST request should work fine. </p> <p>There may be other ways to do this. With this method, there are some cons you<br> need to be aware of. If you are deploying your frontend and backend on different<br> domains, there might be a problem with cookies due to browser security and<br> cookie policy. The browser might not set the CSRF cookie, because it will reject<br> any third-party cookie. And even if the security is low, you probably won't be<br> able to read the cookie value with <code>Cookies.get("csrftoken")</code> due to policies<br> related to cookies.</p> <p>Source Code: <a href="https://github.com/sujaudd1n/tutorials/tree/main/django-ajax-csrf" rel="noopener noreferrer">https://github.com/sujaudd1n/tutorials/tree/main/django-ajax-csrf</a></p> <h3> Learn More </h3> <ul> <li><a href="https://docs.djangoproject.com/en/5.1/howto/csrf/" rel="noopener noreferrer">https://docs.djangoproject.com/en/5.1/howto/csrf/</a></li> <li><a href="https://docs.djangoproject.com/en/5.1/ref/csrf/" rel="noopener noreferrer">https://docs.djangoproject.com/en/5.1/ref/csrf/</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" rel="noopener noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS</a></li> <li><a href="https://pypi.org/project/django-cors-headers/" rel="noopener noreferrer">https://pypi.org/project/django-cors-headers/</a></li> <li><a href="https://docs.djangoproject.com/en/5.1/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS" rel="noopener noreferrer">https://docs.djangoproject.com/en/5.1/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS</a></li> <li><a href="https://github.com/js-cookie/js-cookie" rel="noopener noreferrer">https://github.com/js-cookie/js-cookie</a></li> </ul> webdev django python javascript