I have a Django webapp that has both a front-end, web-accessible component and an

Question

0

Asked: May 13, 20262026-05-13T23:40:44+00:00 2026-05-13T23:40:44+00:00

I have a Django webapp that has both a front-end, web-accessible component and an

0

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST’ed get a 403.

I understand why this is happening, but what is the proper way to fix this without compromising security? Is there someway I can signal in the HTTP header that it’s an API request and that Django shouldn’t be checking for CSRF or is that a bad strategy?

Edit–

The method I’m using at the moment is that the desktop client sets a header, X-Requested-With: XMLHttpRequest. This is kinda hacky, but I’m not sure how this would be handled better.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T23:40:44+00:00

Editorial Team

2026-05-13T23:40:44+00:00Added an answer on May 13, 2026 at 11:40 pm

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a Django webapp that has both a front-end, web-accessible component and an

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply