CSRF Middleware and Django admin

jpf · March 18, 2022, 6:43am

I have a project that uses Django 2.2 and I am trying to understand how CSRF and Django Middleware work.

I have 'django.middleware.csrf.CsrfViewMiddleware' commented out in MIDDLEWARE in settings.py.

When I check the cookies a csrftoken is still present. This gets sent when I make changes in the admin. When I delete the cookie and attempt to make a change Django responds with a 403.

I don’t actually want to disable CSRF-protection on the admin, I just want to understand why commenting out the middleware does not seem to affect it. Is it because the middleware runs on the admin regardless of the setting?

felixxm · March 18, 2022, 9:14am

Admin views are decorated with @csrf_protect so CSRF protection is enabled even without a middleware. See:

for more details.

jpf · March 19, 2022, 4:02am

Awesome, thanks. I should’ve checked the source code. I can’t seem to find it but is there anywhere this is mentioned in the docs?

felixxm · March 19, 2022, 2:27pm

I don’t see much value in documenting this.

Topic		Replies	Views
CSRF Verification failing in local deployment Deployment	4	214	June 26, 2024
AJAX/XHR and X-CSRFToken Using Django	0	661	May 17, 2020
CSRF Token missing Mystery Errors	8	1236	November 21, 2023
Login to Django gives Forbidden (CSRF cookie not set.): /admin/login/ Forms & APIs	0	1666	March 4, 2023
Forbidden (403) CSRF verification failed. Request aborted. Forms & APIs	3	2337	March 25, 2023

CSRF Middleware and Django admin

Related topics