I’ve only started getting into web programming with Django recently. In order to make my website more secure, I used csrf_token when sending POST request, followed what I saw in
https://docs.djangoproject.com/en/3.1/ref/csrf/.
However, as I included
<script src="https://cdn.jsdelivr.net/npm/js-cookie@rc/dist/js.cookie.min.js"></script>
in my HTTP file from Javascrip Cookie Library, I can get the csrf_token directly from my browser in Inpsect>console. I am not sure if doing like that is secure, please give me some pointers.
I’m not sure I understand what you’re asking here, or how the second part relates to the first.
But in general, the csrf_token is not a “secret” - it’s just a token that is intended to prevent JavaScript code running from site “A” from submitting forms to site “B”.
If your question is about retrieving the token from a cookie rather than from the DOM, the CSRF docs page you reference above covers all of that in detail.
I just wonder if the token has to be secret or not, thanks for your answer