How to use Cross Site Request Forgery protection correctly?

I’ve only started getting into web programming with Django recently. In order to make my website more secure, I used csrf_token when sending POST request, followed what I saw in
However, as I included
<script src=""></script>
in my HTTP file from Javascrip Cookie Library, I can get the csrf_token directly from my browser in Inpsect>console. I am not sure if doing like that is secure, please give me some pointers.

I’m not sure I understand what you’re asking here, or how the second part relates to the first.
But in general, the csrf_token is not a “secret” - it’s just a token that is intended to prevent JavaScript code running from site “A” from submitting forms to site “B”.
If your question is about retrieving the token from a cookie rather than from the DOM, the CSRF docs page you reference above covers all of that in detail.

I just wonder if the token has to be secret or not, thanks for your answer