#### What is CSRF?
**Cross-Site Request Forgery (CSRF)** is a type of malicious attack where a user is tricked into performing actions they didn’t intend on a web application they’re authenticated in. For example, if a user is logged into their bank account in one tab and then clicks on a malicious link in another tab, that link could trigger unintended actions, such as transferring funds without their knowledge.
The way CSRF attacks work is simple: the attacker lures the user into making a request that the user themselves didn’t initiate. The malicious request is sent with the user’s credentials (like their session cookie), which makes it look legitimate to the server.
#### How Django Handles CSRF Protection
Django takes CSRF protection seriously and does most of the heavy lifting for you. The framework automatically ensures that requests coming from other sources can’t manipulate your forms by requiring a special **CSRF token** to be present.
When a user loads a page with a form, Django generates a unique CSRF token for that specific user session. This token is then embedded in every form on the page. When the user submits the form, the server checks that the token is valid. If the token is missing or incorrect, Django rejects the request, preventing any malicious action.
#### What You Need to Do as a Developer
Although Django handles most of the CSRF protection behind the scenes, you still need to add a CSRF token in your forms. This is a small but necessary step to ensure your forms are protected from CSRF attacks.
Here’s what you need to do:
##### 1. Using Django's Template System
If you’re working with Django’s template system, adding CSRF protection to your forms is incredibly simple. All you need to do is include the `{% csrf_token %}` tag within your form. For example:
<form method="POST" action="/submit-form/">
{% csrf_token %}
<!-- Other form fields here -->
<input type="submit" value="Submit">
</form>
This `{% csrf_token %}` tag generates a hidden input field in your form that contains the CSRF token. When the form is submitted, this token is sent to the server for validation.
##### 2. Why You Shouldn’t Worry
As a developer, you don’t have to worry about generating or validating the CSRF token yourself. Django automatically takes care of this for you. Once you include the token in your form, Django will handle the validation on the server side. If the CSRF token is missing or doesn’t match the one Django expects, the request will be rejected with a 403 Forbidden error.
#### What Happens If You Forget the CSRF Token?
If you forget to add the `{% csrf_token %}` tag to your form, Django will reject the form submission with an error, typically a 403 Forbidden response. This is because Django expects a CSRF token to be present in all POST requests.
It’s important to note that CSRF protection is only required for **POST** requests. GET requests don’t modify data, so they aren’t vulnerable to CSRF attacks. However, any form that modifies data (like creating, updating, or deleting resources) should include the CSRF token.
#### What About API Requests?
If you’re building an API with Django (particularly using Django REST Framework), you may wonder how CSRF protection fits in. By default, Django REST Framework disables CSRF protection for API endpoints that accept JSON data. This is because API requests often don’t rely on cookies for authentication. Instead, they might use other mechanisms like tokens, which offer their own protection. However, if your API uses cookies for authentication, you’ll need to manage CSRF protection manually.
#### Key Takeaways
- **CSRF attacks** are a serious threat where malicious requests are made on behalf of authenticated users without their knowledge.
- Django provides **built-in CSRF protection** for forms. All you need to do is include the `{% csrf_token %}` tag in your form templates.
- If you forget the CSRF token, **Django will reject the form submission** for POST requests.
- CSRF protection is **not required for GET requests** but is crucial for any forms that modify data.
#### Conclusion
CSRF protection might sound complex, but thanks to Django’s built-in safeguards, you don’t need to worry about the details. Just remember to include the `{% csrf_token %}` tag in your forms, and Django will handle the rest. This small step will go a long way in securing your web applications from potential threats.
