0

I'm using the chrome rest client to test the api calls.

A GET request is working fine but while making a POST request , getting 403 hidden response. description is 

CSRF verification failed. Request aborted

I'm setting as Content-Type=application/json.

One way would be to use @csrf_extempt, but seems to be good choice.

How to resolve above issue ?

Sudipta
  • 4,773
  • 2
  • 27
  • 42
navyad
  • 3,752
  • 7
  • 47
  • 88
  • possible duplicate of [Having a POST'able API and Django's CSRF Middleware](http://stackoverflow.com/questions/2405353/having-a-postable-api-and-djangos-csrf-middleware) – Mp0int Mar 03 '14 at 08:58
  • i mentioned in post that @csrf_extempt, is not a good choice. so that post is not meet solution. – navyad Mar 03 '14 at 09:01
  • If you have make your posts with ajax, then you can get `csrf_token` data with javascript and add it to your post. But, in your case, there would be no cookie, and only solution is using `@csrf_extempt` as @ArpitSingh mentioned. – Mp0int Mar 03 '14 at 09:22

2 Answers2

3

Using @csrf_extempt is infact a good practice when you are providing an API to your site. Cross-site request forgery is what csrf is but in your case it won't be a forgery since an api can(should) be called from any site but yours. . Moreover sharing csrf token will prove to be very tricky.

Arpit Singh
  • 3,387
  • 2
  • 17
  • 11
0

In thre request, include an X-CSRFToken header with the CSRF token value obtained from the csrftoken cookie.

Rob Agar
  • 12,337
  • 5
  • 48
  • 63
  • how to get this csrftoken cookie ? – navyad Mar 03 '14 at 08:49
  • either by javascript by examining `document.cookie`, or look in the Cookies section of the *Resources* tab in the Chrome developer tools (Chrome menu button -> Tools -> Developer Tools) – Rob Agar Mar 03 '14 at 08:53
  • ah true, if you're using Chrome REST client. Django assumes an initial GET request for a web app, which would have had the *csrftoken* cookie set. Go with Arpit's answer :) – Rob Agar Mar 03 '14 at 09:03