Cross Site Request Forgery

This is a vulnerability where attackers can trick authenticated users into executing unintended actions on a trusted site. Exploiding a user's active session, attackers can perform unauthorized actions like changing account settings, transfering funds, or deleting data, totally bypassing user consent leveraging one's credentials.

CSRF Middleware

Djanog by default includes enables the middleware in settings.py:

MIDDLEWARE = [
    ...
    'django.middlware.csrf.CsrfViewMiddleware',
    ...
]

CSRF in Forms

If one utilizes forms that performs POST requests, definitely include the {% csrf_token %} template tag withing the <form> element:

<form method="post">
    {% csrf_token %}
    <!-- Your form fields here -->
    <button type="submit">Submit</button>
</form>

CSRF Related Settings

The follwoing are some CSRF settings worth checking out:

CSRF_COOKIE_SECURE = True # For HTTPS sites
CSRF_COOKIE_HTTPONLY = True # Optional to prevent client-side script access
CSRF_TRUSTED_ORIGINS = ['https://your-domain.com'] # If necessar specify allowed domains for CSRF validation

Django's Guide to the Galaxy | DJ Checkup | CSRF

Cross Site Request Forgery

CSRF Middleware

CSRF in Forms

CSRF Related Settings