What is a CSRF token in Django?

The Cross-Site Request Forgery (CSRF) attack forces an end-user to execute unwanted actions on a web application in which they have authenticated themselves.

The attacker uses the user’s authenticated state to their advantage by changing the user’s request, which prompts users to perform actions that they do not intend to perform. If the attack succeeds on an administrative account, it can compromise the entire web application.

CSRF is a common attack, so Django has a very simple implementation to negate this attack.

csrf_token

Django has a {% csrf_token %} tag that is implemented to avoid malicious attacks. It generates a token on the server-side when rendering the page and makes sure to cross-check this token for any requests coming back in. If the incoming requests do not contain the token, they are not executed.

Django makes this process seamless with the addition of a simple tag to the form generated.

<!DOCTYPE html>
<html>
<head>

</head>
<body>
<form method='post'>
{% csrf_token %} //csrf token inseted in form
<h2> registration form </h2>
<input type="text">
<input type="submit">	
</form> 
</body>
</html>

As seen above, the {% csrf_token %} tag in the Django template language is inserted within the form. With this simple addition, CSRF attacks can be avoided, thereby ensuring the security of post requests from a user to the server.

Free Resources