#29858: CSRF +
-----------------------------------------+------------------------
Reporter: StewPoll | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
I'm working on a small new application, and using AXIOS to post back to
Django.
Part of this is of course setting the relevant header to include the CSRF
token.
Looking at the docs there appears to be contradicting messages about what
that heading should be.
Initially we get greeted with this:
''For this reason, there is an alternative method: on each
XMLHttpRequest, set a custom **X-CSRFToken**
header to the value of the CSRF token''
Later on though we get this blockquote in the docs:
''**Note**
...
The CSRF header name is **HTTP_X_CSRFTOKEN** by default, but you can
customize it using the CSRF_HEADER_NAME setting.''
From testing, it appears that X-CSRFToken is indeed the correct header to
use, as it's currently functioning, but I'm unsure if this is a bug with
Django, or an error in the docs.
If it's an error in the docs, can someone please point me in the direction
of how to submit a pull request to fix this?
--
Ticket URL: <https://code.djangoproject.com/ticket/29858>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.0dc5f06cdb6663dfc8d7f6f89688b97d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
