CSRF Middleware and Django admin

I have a project that uses Django 2.2 and I am trying to understand how CSRF and Django Middleware work.

I have 'django.middleware.csrf.CsrfViewMiddleware' commented out in MIDDLEWARE in settings.py.

When I check the cookies a csrftoken is still present. This gets sent when I make changes in the admin. When I delete the cookie and attempt to make a change Django responds with a 403.

I don’t actually want to disable CSRF-protection on the admin, I just want to understand why commenting out the middleware does not seem to affect it. Is it because the middleware runs on the admin regardless of the setting?

Admin views are decorated with @csrf_protect so CSRF protection is enabled even without a middleware. See:

for more details.

Awesome, thanks. I should’ve checked the source code. I can’t seem to find it but is there anywhere this is mentioned in the docs?

I don’t see much value in documenting this.