I have a project that uses Django 2.2 and I am trying to understand how CSRF and Django Middleware work.
I have 'django.middleware.csrf.CsrfViewMiddleware'
commented out in MIDDLEWARE
in settings.py.
When I check the cookies a csrftoken
is still present. This gets sent when I make changes in the admin. When I delete the cookie and attempt to make a change Django responds with a 403.
I don’t actually want to disable CSRF-protection on the admin, I just want to understand why commenting out the middleware does not seem to affect it. Is it because the middleware runs on the admin regardless of the setting?