[2.1.x] Fixed #29858 -- Clarified docs regarding CSRF token header name.

Backport of a29fce8984 from master.
This commit is contained in:
Tim Graham 2018-10-18 19:44:15 -04:00
parent 822f111b86
commit 4acdba42a6
1 changed files with 6 additions and 10 deletions

View File

@ -60,9 +60,10 @@ AJAX
While the above method can be used for AJAX POST requests, it has some
inconveniences: you have to remember to pass the CSRF token in as POST data with
every POST request. For this reason, there is an alternative method: on each
XMLHttpRequest, set a custom ``X-CSRFToken`` header to the value of the CSRF
token. This is often easier, because many JavaScript frameworks provide hooks
that allow headers to be set on every request.
XMLHttpRequest, set a custom ``X-CSRFToken`` header (as specified by the
:setting:`CSRF_HEADER_NAME` setting) to the value of the CSRF token. This is
often easier because many JavaScript frameworks provide hooks that allow
headers to be set on every request.
First, you must get the CSRF token. How to do that depends on whether or not
the :setting:`CSRF_USE_SESSIONS` setting is enabled.
@ -73,13 +74,8 @@ Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False``
The recommended source for the token is the ``csrftoken`` cookie, which will be
set if you've enabled CSRF protection for your views as outlined above.
.. note::
The CSRF token cookie is named ``csrftoken`` by default, but you can control
the cookie name via the :setting:`CSRF_COOKIE_NAME` setting.
The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can
customize it using the :setting:`CSRF_HEADER_NAME` setting.
The CSRF token cookie is named ``csrftoken`` by default, but you can control
the cookie name via the :setting:`CSRF_COOKIE_NAME` setting.
Acquiring the token is straightforward: