0

I'm developing an app using django rest framework and react. I need to implement csrf token for some of my forms and also jwt refresh token. So these are options that exist for django csrf token handling:

  1. Using {% csrf_token %} before forms in django template.
  2. Adding csrf decorator @ensure_csrf_cookie to a view, to set csrf token as a cookie in response, and then get value of that cookie in react, and add it to my form or request header.

The first option is not possible in my case, because I'm using react instead of django templates.

And second option is not a good idea, because I should request to this specific view (API) to obtain a csrf token, before submitting every form. And also I don't know, in this case, how is gonna django validate csrf tokens properly. I mean, how should django recognize that the passed csrf token has made by the user whose data is being modified! I mean maybe a malicious user request to that view, obtain a valid token, and use that token to modify information of someone else!

So my question is, What is the best way of utilizing csrf tokens in django + react projects?

famdude
  • 79
  • 1
  • 6
  • Does this answer your question? [How to use csrf\_token in Django RESTful API and React?](https://stackoverflow.com/questions/50732815/how-to-use-csrf-token-in-django-restful-api-and-react) – Pablo Jan 12 '23 at 16:03
  • @Pablo I've already read it, and I think it actually suggests the second option that I mentioned. And I've explained the problem I have with this approach. – famdude Jan 12 '23 at 17:13

0 Answers0