Home/ Questions/Q 666799
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:51:31+00:00

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it I came to the conclusion that it is not valid

  • 0

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it

I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct?

I guess I don’t really understand when it’s safe to use this because of this statement:

This should not be done for POST forms
that target external URLs, since that
would cause the CSRF token to be
leaked, leading to a vulnerability.

The reason it’s confusing is that; to me an “external URL” would be page on that isn’t part of my domain (ie, I own http://www.example.com and put a form that posts to http://www.spamfoo.com. This obviously can’t be the case since people wouldn’t use Django for generating forms that post to other people’s websites, but how could it be true that you can’t use CSRF protection on public forms (like a login form)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    With apologies to not understanding the specific source of your confusion, I’ll say that the question you should be asking is when NOT to use CSRF protection. You’ve already called out this case from the docs:

    This should not be done for POST forms
    that target external URLs, since that
    would cause the CSRF token to be
    leaked, leading to a vulnerability.

    If you are posting a form to your domain, you’ll want CSRF protection enabled by default, unless you have a specific reason to disable it (which should be more rare than not).

    • 0