0

Background

I've been trying to make a POST request to my application's backend (written in Django) from my React frontend, but the request fails because the request does not include a CSRF token. Here is the code I use to setup and send my request:

    const formData = new FormData()

    // 'image' is a user uploaded image
    formData.append(
        "myImage",
        image,
        image.name
    )

    const data = await axios.post("http://localhost:8000/myendpoint", formData)
    return data

My application is very simple in that there is no log-in/session-keeping that I need to do and to use the app the user simply needs to give some data (upload an image to be precise) to my Django API's endpoint and then get some results. For reference, here is what I see on my Django server logs:

Forbidden (CSRF cookie not set.): /myendpoint

And here is the error I see in the browser's console:

POST http://localhost:8000/myendpoint 403 (Forbidden)

Based on some questions that appear similar to mine, the suggestion seems to be to retrieve this CSRF token from the csrftoken cookie that Django sends and then including it in subsequent POST requests (for instance, this answer). I didn't think this would work since I did not see any cookies in the Dev Window of the browser when at localhost:3000, but I tried regardless and see the cookie as undefined:

CSRF Token: undefined

I used this code to try to get the cookie (using the js-cookie library):

    var csrftoken = Cookies.get('csrftoken');
    console.log(`CSRF Token: ${csrftoken}`)

Question(s)

Is there a way I can get the CSRF token cookie from Django before sending the POST request if that is the only request I'm sending? I know of some "hacky" ways such as using the csrf_exempt decorator for my endpoint but I was wondering if there is a way I can make it work without it?

Thanks!

  • https://docs.djangoproject.com/en/3.1/ref/csrf/ – iklinac Apr 12 '21 at 02:26
  • Hi @iklinac! The [post](https://stackoverflow.com/a/50735730/15607503) I referenced above seems to use a lot of what is mentioned in the docs, and the method of getting the CSRF token though the cookie that I tried is from the docs as well, but the issue for me is that I'm not sure how I can get Django to send the cookie to my frontend since I'm only making one POST request, which in turn requires me to use the info in that cookie (which I don't have) –  Apr 12 '21 at 03:23
  • Surely you're making a GET request as part of rendering the front-end, right? Can you set the cookie there? – Dave Apr 12 '21 at 04:01
  • 1
    There is no point of CSRF if there is no user as there is nothing to hijack, also your question needs more focus as there are multiple questions and most of them are answered in documentation. csrf_exempt is not hacky but a way to disable CSRF on single endpoint that does not need CSRF – iklinac Apr 12 '21 at 04:30
  • @Dave I wasn't making a GET request to Django since my frontend is completely separate from the backend. –  Apr 12 '21 at 05:04
  • @iklinac that makes sense, I'm new to Django and a few SO answers about `csrf_exempt` made it seem like a hack. It works for me however so it's good to know it's a legitimate solution to a situation like mine, thanks for your help! –  Apr 12 '21 at 05:05

0 Answers0