Djangoframework~30 mins

CSRF protection mechanism in Django - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

CSRF Protection Mechanism in Django

📖 Scenario: You are building a simple Django web application that includes a form for users to submit their email addresses to subscribe to a newsletter. To keep your app safe from Cross-Site Request Forgery (CSRF) attacks, you need to implement Django's CSRF protection mechanism correctly.

🎯 Goal: Build a Django view and template that safely handle a form submission with CSRF protection enabled. You will create the data setup, configure CSRF token usage, implement the form handling logic, and complete the template with the necessary CSRF token tag.

📋 What You'll Learn

Create a Django view function named subscribe that handles GET and POST requests.

Create a simple HTML form in a template named subscribe.html with an email input and a submit button.

Add a CSRF token in the form to protect against CSRF attacks.

Use Django's @csrf_protect decorator or ensure middleware is active for CSRF protection.

💡 Why This Matters

🌍 Real World

CSRF protection is essential for any web application that accepts user input via forms. It prevents malicious websites from tricking users into submitting unwanted requests.

💼 Career

Understanding and implementing CSRF protection is a fundamental skill for web developers working with Django or any web framework to ensure application security.

Progress0 / 4 steps

Create the initial Django view function

Create a Django view function called subscribe in views.py that imports render and HttpResponse from django.shortcuts and django.http respectively. The function should accept a request parameter and return render(request, 'subscribe.html') for now.

Django

# Your code here

Need a hint?

Start by defining a function named subscribe that takes request and returns the rendered template subscribe.html.

Add a CSRF token variable in the template context

Modify the subscribe view function to import csrf_protect from django.views.decorators.csrf and decorate the function with @csrf_protect. This enables CSRF protection for the view.

Django

from django.shortcuts import render
from django.http import HttpResponse
# Import csrf_protect and decorate the subscribe function
# Your code here

Need a hint?

Use the @csrf_protect decorator above your view function to enable CSRF protection.

Add form handling logic with POST method

Inside the subscribe view, add an if statement to check if request.method == 'POST'. If true, retrieve the email from request.POST['email'] and return an HttpResponse with the text "Subscribed: {email}" using an f-string. Otherwise, render the subscribe.html template as before.

Django

from django.shortcuts import render
from django.http import HttpResponse
from django.views.decorators.csrf import csrf_protect

@csrf_protect
def subscribe(request):
    # Add POST request handling below
    # Your code here

Need a hint?

Check if the request method is POST, then get the email from request.POST and respond with a confirmation message.

Complete the HTML form with CSRF token

Create a file named subscribe.html with a simple HTML form that uses the POST method and has an input field with name="email". Inside the <form> tag, add the Django template tag {% csrf_token %} to include the CSRF token. Add a submit button labeled Subscribe.

Django


    
    
    Subscribe

Need a hint?

Inside your form, add {% csrf_token %} to include the CSRF token for protection.