Unable to disable CSRF check in django 1.10

Question

I am using django-1.10 for my project and i want o disable the CSRF check in my project. for this what i Did is that I created a CSRFDiable middleware and added this in middlewares after CommonMiddleWare. This same process worked for me in django 1.8 but in django 1.10 it is not working. I tried removing django.middleware.csrf.CsrfViewMiddleware also but it doesn't work for me. The middleware class is as below

class DisableCSRF(object):

    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        return self.get_response(request)

    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)


MIDDLEWARE = [

    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'common.middlewares.DisableCSRF',

    # 'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
   ]

The error i am getting on POST request is

{
    "detail": "CSRF Failed: CSRF token missing or incorrect."
}

See [this answer](https://stackoverflow.com/a/43841990/1418794) — doru, Sep 10 '17 at 14:07
Why are you even trying to disable CSRF globally? If disabling `CsrfViewMiddleware` does not work, then you are obviously using views with `@csrf_protect`. _These views require CSRF protection!!_ — knbk, Sep 10 '17 at 15:36
What is the purpose of `common.middlewares.DisableCSRF`? You should not have to _add_ any middleware to disable csrf. — Håken Lid, Sep 10 '17 at 16:44
@knbk, I am using `django-rest-framework's` `generic views` and i don't think it uses `@csrf_protect` decorator by default. — Saleem Ahmed, Sep 10 '17 at 17:20
@HåkenLid, I am creating some apis, where i don't need `csrf_token`, So I am disabling it. — Saleem Ahmed, Sep 10 '17 at 17:21
According to the documentation, removing `CsrfViewMiddleware` should disable csrf protection. So what does the `DisableCSRF` middleware do? — Håken Lid, Sep 10 '17 at 17:23
DRF does use `@csrf_protect`, but only if you're using session authentication, in which case you definitely should not disable the check. Otherwise it uses `@csrf_exempt`. If it's failing, you need to use a different authentication method (e.g. token-based authentication) or supply a valid CSRF token. — knbk, Sep 10 '17 at 17:31

Sarfraz Ahmad · Accepted Answer · 2017-09-10T18:09:27.163

Disabling csrf protection globally is not a good idea. But if you still want to disable the CSRF for your rest-framework based APIs then what you can do is just override the SessionAuthentication class of django-rest-framework , add it in django-rest-framework DEFAULT_AUTHENTICATION_CLASSES settings and it is done. you can do it like this

from rest_framework.authentication import SessionAuthentication 

class CsrfExemptSessionAuthentication(SessionAuthentication):

    def enforce_csrf(self, request):
        return  # it will not perform any csrf check

and in your settings for rest_framework add

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'path of .CsrfExemptSessionAuthentication',  # path of CsrfExemptSessionAuthentication class
'rest_framework.authentication.BasicAuthentication'
),
}

I hope it will work for you

Or what you can do is use token base authentication.

There's a reason DRF explicitly checks for CSRF tokens in session authentication without providing a way to disable this check. Sessions are by their design inherently susceptible to CSRF attacks. By disabling this check while using session authentication, you are explicitly making your API vulnerable to CSRF attacks. **Don't ever do this in a production site.** — knbk, Sep 10 '17 at 18:49

Unable to disable CSRF check in django 1.10

1 Answers1