Add CSRF in Fetch JS for Django

Question

I have the following JS code in my django template:

fetch("http://127.0.0.1:8000/api/endpoint", {
      method: "POST",
      body: $("#form").serializeArray(),
    }).then(function(data) {
    });

In the api/endpoint, I just get:

Forbidden (CSRF token missing or incorrect.): /api/endpoint

How do I add the csrf token in the fetch?

score 3 · Accepted Answer · answered Aug 13 '20 at 01:49

I was having issues with this for hours on a similar project. I finally found the solution! I hope this information helps. The script I'm using is not on the django template, so using csrfmiddlewaretoken: '{{ csrf_token }}' wouldn't work for me.

I added in the "credentials": 'same-origin' as listed above, but also included "X-CSRFToken": getCookie("csrftoken"), which uses the function included at the bottom. It was this second bit that I needed. So your code should look something like:

fetch("http://127.0.0.1:8000/api/endpoint", {
  method: "POST",
  body: $("#form").serializeArray(),
  credentials: 'same-origin',
  headers: {
      "X-CSRFToken": getCookie("csrftoken")
  }
})
.then(function(data) {
})
.catch(err => console.log(err));

Then you need this function added:

function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
    var cookies = document.cookie.split(';');
    for (var i = 0; i < cookies.length; i++) {
        var cookie = jQuery.trim(cookies[i]);
        // Does this cookie string begin with the name we want?
        if (cookie.substring(0, name.length + 1) === (name + '=')) {
            cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
            break;
        }
    }
}
return cookieValue;}

And of course the method has to be on the same page. Taken from Django Docs. https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax

I found this information from this post: https://stackoverflow.com/a/43943556 from user Ska

spaceSentinel · Answer 2 · 2020-06-16T20:32:40.787

1

Inside your body, you can pass the csrf token inside your ajax request like this:

body : {
   // Other stuff
   csrfmiddlewaretoken: '{{ csrf_token }}'
}

This should solve your problem.

Edit : Fetch doesn't include Cookies by default inside its request. To do so you need to add this line inside your fetch request as on option:

credentials : 'include' // For Cors
credentials : 'same-origin' // For same origin requests

edited Jun 16 '20 at 20:32

answered Jun 16 '20 at 20:04

spaceSentinel

630
6
9

Thanks for your response!! This didn't work for me, unfortunately, same error – Jun 16 '20 at 20:28
1

@RahulRentash Just made an edit, check if it works. – spaceSentinel Jun 16 '20 at 20:33
Thanks! What do you mean by as an edit? Would you mind writing the full fetch request code? Thanks!! – Jun 16 '20 at 20:36

Nestigd · Answer 3 · 2022-06-05T15:01:47.297

In my case I was using plain Javascript and Django.

I had to hide a {% csrf_token %} in my HTML layout so that I could access it in my fetch request as follows:

HTML template:

<head> 
  <title>Page title</title>
  {% csrf_token %}
</head>

index.js:

csrf_token = document.getElementsByName('csrfmiddlewaretoken')[0].value

fetch(`${url}`, {
        method : 'put',
        body : JSON.stringify(your_dat),
        headers: { "X-CSRFToken": csrftoken },
        credentials : 'same-origin',
    })

it may not be the most beatiful code

Add CSRF in Fetch JS for Django

3 Answers3