===================================== Cross Site Request Forgery protection ===================================== .. module:: django.middleware.csrf :synopsis: Protects against Cross Site Request Forgeries The CSRF middleware and template tag provides easy-to-use protection against `Cross Site Request Forgeries`_. This type of attack occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, 'login CSRF', where an attacking site tricks a user's browser into logging into a site with someone else's credentials, is also covered. The first defense against CSRF attacks is to ensure that GET requests (and other 'safe' methods, as defined by 9.1.1 Safe Methods, HTTP 1.1, :rfc:`2616#section-9.1.1`) are side-effect free. Requests via 'unsafe' methods, such as POST, PUT and DELETE, can then be protected by following the steps below. .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF .. _using-csrf: How to use it ============= To take advantage of CSRF protection in your views, follow these steps: 1. The CSRF middleware is activated by default in the :setting:`MIDDLEWARE_CLASSES` setting. If you override that setting, remember that ``'django.middleware.csrf.CsrfViewMiddleware'`` should come before any view middleware that assume that CSRF attacks have been dealt with. If you disabled it, which is not recommended, you can use :func:`~django.views.decorators.csrf.csrf_protect` on particular views you want to protect (see below). 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``