Django CSRF with axios or jQuery

cbuelterApril 10, 2017April 18, 2017Snippets, Uncategorized

I found myself trying to create a JavaScript application which sends HTTP requests using axios against a Django backend that requires every POST/PUT/PATCH/DELETE request to have a valid CSRF token. Fortunately, axios allows to read the token from the Django cookie (thanks to @tobire42 for finding that out) and send it along with every request automatically, see this wonderful post about the different options on how to do that. I liked this solution to configure the client only:

import axios from 'axios';

axios.defaults.xsrfCookieName = 'csrftoken'
axios.defaults.xsrfHeaderName = 'X-CSRFToken'

This will pipe the csrftoken back through to Django, no more configuration needed. Please note: Django’s documentation about the default header name seems outdated and we need to use the one above instead (or configure the name to be whatever we like).

The same thing can be done with other frontend frameworks, e.g. for jQuery we can do (see Django docs for a getCookie() implementation):

$.ajaxSetup({
  beforeSend: function (xhr, settings) {
    xhr.setRequestHeader('X-CSRFToken', getCookie('csrftoken'));
  },
});

Published by cbuelter

View all posts by cbuelter

7 Comments

André Duarte says:

August 11, 2017 at 5:15 pm

Two days trying to make this work with vue-resource and five minutes to success with axios. Thanks.

Reply
1. cbuelter says:
  
  August 12, 2017 at 10:24 am
  
  Glad it helped. To be fair, the same thing can be done with vue-resource as well, passing the header like in the jquery example (see https://github.com/pagekit/vue-resource/blob/develop/docs/config.md).
  
  Vue.http.headers.common['X-CSRFToken'] = getCookie('csrftoken');
  
  Reply
Andrew Perry says:

September 18, 2017 at 3:30 pm

This didn’t work for me but I have no idea why, the only difference from the axios side of things is that I use
“`
axios.defaults.withCredentials = true
“`
The error message I get from django is:
“`
Forbidden (CSRF token missing or incorrect.): /get_compound_data/
[18/Sep/2017 15:24:37] “POST /get_compound_data/ HTTP/1.1” 403 2274
“`

Been stuck googling this for about absolutely ages at this point, any ideas would be greatly appreciated 🙂

Reply
1. cbuelter says:
  
  September 18, 2017 at 9:20 pm
  
  I don’t think the credentials setting is the problem, as far as I remember I am also using that. You should try to debug a) if the CSRF cookie is set in the browser correctly after authenticating, b) if that value is read correctly in the client and c) if it is correctly attached as a header to the outgoing request. You may want to add debug statements in the SessionAuthentication in your virtualenv’s Django package for that. Good luck!
  
  Reply
2. Milton Lenis says:
  
  December 15, 2017 at 4:28 pm
  
  I’m having the same problem, could you solve it?
  
  Reply
Pingback: Django CSRF check failing with an Ajax POST request - ExceptionsHub
Pingback: [Django]-Django CSRF check failing with an Ajax POST request - TheCodersCamp

	[Django]-Django CSRF… on Django CSRF with axios or…
	eldoir on Pytest inside 3ds Max
	cbuelter on Razer Chroma Shenanigans
	cbuelter on Cut the Puppet
	hlyanminhtet on Cut the Puppet

Share this:

Related

Published by cbuelter

7 Comments

Leave a comment Cancel reply