47

I have a flow in my django application in which I redirect the user to another service (e.g. PayPal) which after some its own processing, returns the user back on my own server. The returning point on my server is a simple HTML success page which I render using direct_to_template.

For some odd reasons, the other server sends a POST request and hence the user sees a CSRF token missing error as the other server doesn't send back any CSRF token.

How do I exempt a direct_to_template view from CSRF tokens?

sharjeel
  • 5,825
  • 7
  • 34
  • 49

2 Answers2

75

You can use the csrf_exempt decorator to disable CSRF protection for a particular view.

Say your url pattern is:

('^my_page/$', direct_to_template, {'template': 'my_page.html'})

Add the following import to your urls.py:

from django.views.decorators.csrf import csrf_exempt

Then change the url pattern to:

('^my_page/$', csrf_exempt(direct_to_template), {'template': 'my_page.html'})
Alasdair
  • 298,606
  • 55
  • 578
  • 516
73

You can Use @csrf_exempt decorator to excempt csrf token for this you have to import

from django.views.decorators.csrf import csrf_exempt

then write @csrf_exempt before your view

this will work properly :)

ravi404
  • 7,119
  • 4
  • 31
  • 40
Neeraj Sharma
  • 1,322
  • 10
  • 9
  • 3
    this does not answer the question at all, as he wants to use the built in direct_to_template function, not decorate his own views – Johannes Lerch Feb 02 '15 at 14:12
  • 3
    You also can use `@method_decorator(csrf_exempt)` on `dispatch` method for yours class-based views. – Mark Mishyn Jul 29 '17 at 10:48
  • 1
    @MarkMishyn can you elaborate a bit more? e.g. from where do we import `method_decorator`? edit: `from django.utils.decorators import method_decorator` – David Schumann May 23 '19 at 13:23