Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Question] How to implement SPA's CSRF flow if we set CSRF_COOKIE_HTTPONLY = True in production?

See original GitHub issue

Hi! Setting CSRF_COOKIE_HTTPONLY = True in production doesn’t let me grab CSRF token from cookies as described in Django docs because document.cookie is empty.

Given that i want to keep SessionAuthentication flow could you please advise a proper way of handling this scenario? It works if i reset this setting to False, but i suppose you set it to True for a reason.

I’m using Django REST Framework + React and Axios lib for requests.

Thanks!

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Reactions:2
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
pydannycommented, Apr 21, 2017

When CSRF_COOKIE_HTTPONLY you can’t grab CSRF token from cookies. To make it work, you have to inject it from the DOM. To borrow from the upcoming TSD 1.11, in the DOM we put:

<html>
<!-- Placed anywhere in the page, doesn't even need to
      be in a form as the input element is hidden -->
{% csrf_token %}
</html>

Then if we used JQuery we could get that piece of the DOM:

var csrfToken = $('[name=csrfmiddlewaretoken]').val();  // jQuery

Hopefully you did not turn off CSRF 😜

1reaction
pySilvercommented, Aug 6, 2019

Looks like there is no practical reason to keep CSRF_COOKIE_HTTPONLY = True (as per django docs)

Read more comments on GitHub >

github_iconTop Results From Across the Web

[Question] How to implement SPA's CSRF flow if we set ...
Hi! Setting CSRF_COOKIE_HTTPONLY = True in production doesn't let me grab CSRF token from cookies as described in Django docs because ...
Read more >
CSRF tokens for SPAs - Michael Zanggl
Setup. This article assumes you already have a backend that provides a CSRF token solution. There is actually more than one way to...
Read more >
Cross-Site Request Forgery Prevention Cheat Sheet
Check if your framework has built-in CSRF protection and use it. If framework does not have built-in CSRF protection, add CSRF tokens to...
Read more >
How do anti-CSRF tokens work in SPA-API communications?
The API can make sure that the request came from the genuine front-end because it contains the token. A question pops up in...
Read more >
Mitigating CSRF attacks in Single Page Applications - Medium
A site is vulnerable if they check the user's login state based on a ... A Single Page Application (SPA) is a website,...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Update to Django 1.11

Next page

ImproperlyConfiguredException, could not load boto3 S3 bindings when running collectstatic in heroku