0

I make a POST request via AJAX without HTML form. Are there any security issues? Why is there no csrf error? Because I do not send any csrf data and csrf is enabled in django?

toggle-status.js

jQuery(document).ready(function($) {
    $("#switch-status").click(function(){
    $.ajax({
        url: '/account/switches/',
        data: {'toggle': 'status'}
    });
    });
});

view.py

@login_required
def switches(request):
    toggle = request.GET.get('toggle', None)
    current_user = request.user
    update = Switches.objects.get(owner=current_user)
    if toggle == 'status':
    if update.status is True:
        update.status = False
    else:
        update.status = True
    update.save()
    return HttpResponse('')
seeberg
  • 99
  • 1
  • 11

1 Answers1

1

The default method of the ajax function is a GET one, not a POST. So, doing a:

$.ajax({
    url: '/account/switches/',
    data: {'toggle': 'status'}
});

implies that an ajax GET is made. So, you're not doing a POST request.

If you want a POST request, do it like this:

$.ajax({
    method: 'POST',
    url: '/account/switches/',
    data: {'toggle': 'status'}
});

Of course you have to include the CSRF token then, since it will fail if you try to POST without including one. Look here how to acomplish that.

nik_m
  • 11,825
  • 4
  • 43
  • 57
  • Thank you. Are there any other security issues with GET? – seeberg Apr 25 '17 at 05:53
  • As long as you do not pass any sensitive data through this method then no, there are no security issues. See [here](http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secure-than-the-other) or [here](https://security.stackexchange.com/questions/33837/get-vs-post-which-is-more-secure) for more. – nik_m Apr 25 '17 at 05:58
  • @nik_m can you talk? :) – alex Apr 25 '17 at 10:08
  • @nik_m can you follow me on twitter so i can write you there next time, trying to get to you throw stack is a bit hard, i can't chat with you unless you follow me aswell – alex Apr 25 '17 at 10:19