@csrf_exempt decorator not working method view

tj21z · March 12, 2025, 4:34pm

Hi,

I’ve been working on an old django site and trying to add an extra view method that I access from a 3rd party application that i’m updating. I’ve tried postman and this doesn’t work either. I don’t know how I can get my remote application get a csrf token when I don’t login to the website. I’m using chilkat activex to build up the http request and I can get the GET to work and the post is now working but I’ve run into the CSRF problem. It’s been 2 weeks for me to get here so I’m feeling a bit deflated.

I guess I’m trying to add a little api to an existing project (django app).

I have an existing view and I’ve added a new method so I can get my remote software to try and POST a request but it keeps failing and I’m afraid I don’t understand the responses given to the same problem that others are having.

I’ve added a decorator added in the line before the method and imported the csrf_exempt into staff.py which is really long so just putting the essential code here.

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def supptool(request):
    print("request.method= ",request.method)
    request_str = "Method: {0}, Path: {1}, GET Params: {2}, POST Params: {3} ".format(request.method, request.path, request.GET, request.POST)
    print("request=", request_str)
    response['SupportStatus'] = "TEST"
    return response

At the top of the py file I have added from ‘django.views.decorators.csrf import csrf_exempt’
I have updated the url.py with the new url and it correctly calls the method in the view as the get works perfectly.

The urls.py has the following in and is working (as the get works):-

urlpatterns += [
     url(r'^default/$', #this works
        staff.supptool,
        name='supptool')

Is there anyone who can help and explain it in simple terms? Many of the answers I have seen assume you’re a seasoned django developer and i’m afraid I’m not.

I’d really appreciate a guiding hand.

Oh, its an old django app 1.8 (I know it should be upgraded but that’s another job for the future along with the whole server. I’m extending django.helpdesk which has been worknig for years and I’m not wanting to kill the website as that’s working.

I’m getting a 403 error

# Forbidden (403)
CSRF verification failed. Request aborted.

Note when I tested this on a copy of the code locally with it works but I think the settings.py hasn’t got csrf turned on for the testing runserver but the live website must have it turned on for the existing application

python manage.py runserver 8000

It’s django working on an apache server that is not.

I’m not using a django tempate view as the client I’m using a 3rd party app that i’m programming to send get and post requests.

my client code goes like this:-

LOCAL loReq as chilkat_9_5_0.HttpRequest
LOCAL loHttp as CHILKAT_9_5_0.Http
LOCAL lcJsonText
LOCAL loResp
SET SAFETY OFF 
_screen.Cls()

loGlob = CreateObject('Chilkat_9_5_0.Global')
lnSuccess = loGlob.UnlockBundle("KEY")

loHttp = CreateObject('Chilkat_9_5_0.Http')
loReq = CreateObject('Chilkat_9_5_0.HttpRequest')
lohttp.VerboseLogging=1
loreq.VerboseLogging=1
loReq.HttpVerb = "POST"
*loreq.path="/support/default/"
loreq.SendCharset=1
loreq.charset="windows-1250"
loreq.AddHeader("HTTP_USER_AGENT","Support")
loreq.AddHeader("HTTP_REFERER","https://hostname/en/support/")
loreq.contentType = "application/x-www-form-urlencoded"
loreq.AddParam("action", "checksupported")
loreq.AddParam("user", "Fred") 
loreq.AddParam("password", "nopw")
loreq.AddParam("system", "zzz") 
loreq.AddParam("shipno", "zzz") 
loreq.AddHeader("xSupportTool","xSupportTool")
?"header", loreq.EntireHeader
?"params=",loreq.NumParams
loresp = lohttp.PostUrlEncoded("https://hostname/en/support/default/", loreq)
?"header", loreq.EntireHeader
IF (loHttp.LastMethodSuccess <> 1) THEN
    ? loHttp.LastErrorText
ELSE
    * Display the JSON response.
    ? loResp.BodyStr
	?loresp.ContentLength
	?loresp.Header    	
        RELEASE loResp
ENDIF

RELEASE loReq
RELEASE loHttp
SET SAFETY ON

I’ve also tried it on POSTMAN and I get the same csrf error 403 so at least I have my client code working properly and I was using gets originally but I don’t want to expose the details of the calls in the url. I can also send username/password in the http request.

philgyford · March 12, 2025, 4:44pm

Hi @tj21z. To get some help you’ll need to:

Show all the relevant code, properly formatted (use three backticks ``` on lines before and after the code blocks).
Show exactly what you’re doing – URLs you’re requesting, data you’re submitting, etc
Describe what you expect to happen
Describe what actually happens, along with all error messages if any, and full tracebacks if any.

tj21z · March 12, 2025, 5:08pm

Thanks, hopefully I’ve corrected the question enough. Appreciate your time.

white-seolpyo · March 24, 2025, 4:31am

are you sure client request method is POST and include csrf token??

This issue seems to be caused by a problem with the request method or the request object not having a csrf token.

Remove the decorator and see what requests are coming in.

tj21z · March 24, 2025, 11:09am

Thanks for taking the time to answer.

I think I’ve cracked it. I’m not using the web view so the csrf token wouldn’t be in the template.

I’ve solved it by downloading a page with the token then using that token to then make the post request.

The decorator did nothing as it always asked for csrf so there must have been a setting in setting.py that required it for all forms and the decorator had no effect? I didn’t want to break a site that was already working so didn’t want to makes changes there.

100% I was using the POST request and not GET. Get works but POST requires CSRF token and cookie.
So now I have a csrf cookie and post request token I can now talk to to the post request code ont he django backend from a non-django webpage template in the way of a remote app.

So for anyone else who stumbles on this post with the same issue jut see if you can download a webpage with the cookie and/or token in the page then use that in your next post request with it in the cookie and in the post request.

The hard thing for me to wrap my head around was that all the examples are with html templates, view and models but I needed a solution with no html templates on the djanjo site to allow my app to talk to the django view code.

Shame the ‘’‘@csrf_exempt’‘’ decorator didn’t work as that would have saved me at least a weeks work/research time.

white-seolpyo · March 26, 2025, 1:18am

The fact that you are not using a web view means that you cannot tell what kind of testing you are doing.

You can easily add a csrf token in your template like this:

<form>
{% csrf_token %}
{{ form }}
</form>

Topic		Replies	Views
csrf_exempt not working Mystery Errors	3	225	December 21, 2024
Bypassing django's CSRF defense mechanism on a deployed application (running on http) Deployment	1	918	September 10, 2022
CSRF Verification failing in local deployment Deployment	4	394	June 26, 2024
Forbidden csrf token missing Forms & APIs	4	2147	May 17, 2023
request.POST empty query back Forms & APIs	7	4107	June 4, 2023

@csrf_exempt decorator not working method view

Related topics