===================================== Cross Site Request Forgery protection ===================================== .. module:: django.middleware.csrf :synopsis: Protects against Cross Site Request Forgeries The CSRF middleware and template tag provides easy-to-use protection against `Cross Site Request Forgeries`_. This type of attack occurs when a malicious website contains a link, a form button or some JavaScript that is intended to perform some action on your website, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, 'login CSRF', where an attacking site tricks a user's browser into logging into a site with someone else's credentials, is also covered. The first defense against CSRF attacks is to ensure that GET requests (and other 'safe' methods, as defined by :rfc:`7231#section-4.2.1`) are side effect free. Requests via 'unsafe' methods, such as POST, PUT, and DELETE, can then be protected by following the steps below. .. _Cross Site Request Forgeries: https://www.squarefree.com/securitytips/web-developers.html#CSRF .. _using-csrf: How to use it ============= To take advantage of CSRF protection in your views, follow these steps: 1. The CSRF middleware is activated by default in the :setting:`MIDDLEWARE_CLASSES` setting. If you override that setting, remember that ``'django.middleware.csrf.CsrfViewMiddleware'`` should come before any view middleware that assume that CSRF attacks have been dealt with. If you disabled it, which is not recommended, you can use :func:`~django.views.decorators.csrf.csrf_protect` on particular views you want to protect (see below). 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``