Home » Django » Django CSRF framework cannot be disabled and is breaking my site

Django CSRF framework cannot be disabled and is breaking my site

Posted by: admin November 30, 2017 Leave a comment

Questions:

The django csrf middleware can’t be disabled. I’ve commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I’m working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware?

I have to disable it because there are lots of POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The “new’ CSRF framework from Django’s trunk is also breaking an external site that is coming in and doing a POST on a URL I’m giving them (this is part of a restful API.) I can’t disable the CSRF framework as I said earlier, how can I fix this?

Answers:

See answers below this for a better solution. Since I wrote this, a lot has changed. There are now better ways to disable CSRF.

I feel your pain. It’s not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x –> 2.x.

Anyway, to fix it I just commented it out and have stopped updating Django as often.

File: django/middleware/csrf.py
Around line 160:

            # check incoming token
#            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
#            if request_csrf_token != csrf_token:
#                if cookie_is_new:
#                    # probably a problem setting the CSRF cookie
#                    return reject("CSRF cookie not set.")
#                else:
#                    return reject("CSRF token missing or incorrect.")

Questions:
Answers:

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc)

from django.views.decorators.csrf import csrf_exempt                                          
@csrf_exempt                                                                                  
def my_view:                                                                            
    return Httpresponse("hello world")

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Questions:
Answers:

You can disable this in middleware.

In your settings.py add a line to MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (

    myapp.disable.DisableCSRF, 

)

Create a disable.py in myapp with the following

class DisableCSRF(object):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)

Basically if you set the _dont_enforce_csrf_checks in your request, you should be ok.

Questions:
Answers:

In general, you shouldn’t be disabling CSRF protection, since doing so opens up security holes. If you insist, though…

A new way of doing CSRF protection landed in trunk just recently. Is your site by chance still configured to do it the old way? Here are the docs for The New Way™ and here are the docs for The Old Way™.

Questions:
Answers:

I simply tried removing the references to csrf middleware classes from my settings.py, it worked. Not sure if this is acceptable. Any comments?
Below two lines were removed –

      'django.middleware.csrf.CsrfViewMiddleware',
      'django.middleware.csrf.CsrfResponseMiddleware',

Questions:
Answers:

my django version is 1.11. the middleware should be like this:

from django.utils.deprecation import MiddlewareMixin


class DisableCSRF(MiddlewareMixin):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)