Home/ Questions/Q 666377
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:48:43+00:00

The django csrf middleware can’t be disabled. I’ve commented it out from my Middleware

  • 0

The django csrf middleware can’t be disabled. I’ve commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I’m working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware?

I have to disable it because there are lots of POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The “new’ CSRF framework from Django’s trunk is also breaking an external site that is coming in and doing a POST on a URL I’m giving them (this is part of a restful API.) I can’t disable the CSRF framework as I said earlier, how can I fix this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    See answers below this for a better solution. Since I wrote this, a lot has changed. There are now better ways to disable CSRF.

    I feel your pain. It’s not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x –> 2.x.

    Anyway, to fix it I just commented it out and have stopped updating Django as often.

    File: django/middleware/csrf.py
    Around line 160:

                # check incoming token
#            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
#            if request_csrf_token != csrf_token:
#                if cookie_is_new:
#                    # probably a problem setting the CSRF cookie
#                    return reject("CSRF cookie not set.")
#                else:
#                    return reject("CSRF token missing or incorrect.")
    • 0