How to Use CSRF Middleware in Django for Secure Forms
In Django, enable
CsrfViewMiddleware in your MIDDLEWARE settings to protect against CSRF attacks. Use the {% csrf_token %} template tag inside HTML forms to include the CSRF token for validation.Syntax
The CSRF middleware is added to the MIDDLEWARE list in your Django settings.py. It looks like this:
'django.middleware.csrf.CsrfViewMiddleware': This middleware checks incoming POST requests for a valid CSRF token.{% csrf_token %}: This template tag inserts a hidden input with the CSRF token inside your HTML form.
python/html
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware', # CSRF protection middleware
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
# In your HTML template form:
<form method="post">
{% csrf_token %}
<!-- form fields -->
<button type="submit">Submit</button>
</form>Example
This example shows a simple Django view and template using CSRF middleware to protect a form submission.
python/html
# views.py from django.shortcuts import render from django.http import HttpResponse def my_form_view(request): if request.method == 'POST': # Process form data here return HttpResponse('Form submitted successfully!') return render(request, 'my_form.html') # my_form.html <html> <body> <form method="post"> {% csrf_token %} <label for="name">Name:</label> <input type="text" id="name" name="name" required> <button type="submit">Send</button> </form> </body> </html>
Output
When you open the page, you see a form with a name field and a submit button. Submitting the form sends a POST request with a CSRF token, and the server responds with 'Form submitted successfully!'.
Common Pitfalls
Common mistakes when using CSRF middleware include:
- Forgetting to add
'django.middleware.csrf.CsrfViewMiddleware'inMIDDLEWARE, which disables CSRF protection. - Omitting the
{% csrf_token %}tag inside HTML forms, causing CSRF validation to fail. - Using AJAX POST requests without sending the CSRF token in headers.
- Disabling CSRF middleware globally or on views without understanding the security risk.
html
# Wrong: Missing csrf_token in template <form method="post"> <!-- Missing {% csrf_token %} --> <input type="text" name="data"> <button type="submit">Submit</button> </form> # Right: Include csrf_token <form method="post"> {% csrf_token %} <input type="text" name="data"> <button type="submit">Submit</button> </form>
Quick Reference
| Step | Description |
|---|---|
| Add middleware | Include 'django.middleware.csrf.CsrfViewMiddleware' in MIDDLEWARE list |
| Use template tag | Add {% csrf_token %} inside every POST form |
| Handle AJAX | Send CSRF token in AJAX request headers |
| Avoid disabling | Do not disable CSRF middleware unless necessary |
Key Takeaways
Always include 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE settings for CSRF protection.
Use the {% csrf_token %} tag inside all HTML forms that submit POST requests.
For AJAX POST requests, send the CSRF token in request headers to pass validation.
Never omit CSRF tokens or disable the middleware without understanding the security risks.
Test your forms to ensure CSRF validation is working and not causing errors.