[Django] #37032: Documentation for django.template.context_processors.csrf is incorrect or inaccurate
9 views
Skip to first unread message
Django
Apr 13, 2026, 8:21:47 AMApr 13
to django-...@googlegroups.com
#37032: Documentation for django.template.context_processors.csrf is incorrect or
inaccurate
-------------------------------------+-------------------------------------
Reporter: Christian Finnberg | Type:
| Uncategorized
Status: new | Component:
| Documentation
Version: dev | Severity: Normal
Keywords: csrf, context | Triage Stage:
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Documentation for django.template.context_processors.csrf in
https://docs.djangoproject.com/en/dev/ref/templates/api/#django-template-
context-processors-csrf is not accurate. It says:
This processor adds a token that is needed by the csrf_token template
tag for protection against Cross Site Request Forgeries.
But the `csrf_token` template tag is independent of this context
processor. This content processor adds a `csrf_token` variable that can be
used for protection against CSRF, but it seems that this is like a
"legacy" method. The recommended way or at least the way Django is
configured by default, is to enable the
django.middleware.csrf.CsrfViewMiddleware middleware, that adds the
`crsf_token` template tag and works independently of this context
processor.
So a different definition may be better. Something like:
If this processor is enabled, every **RequestContext** will contain a
variable **csrf_token** with a CSRF token, or the string 'NOTPROVIDED' if
it has not been provided by either a view decorator or the middleware.
Notice that the `csrf_token` template tag (not this context processor) is
the preferred way to add the CSRF token to the forms.
In any case I think this component's text must be corrected somehow.
--
Ticket URL: <https://code.djangoproject.com/ticket/37032>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
inaccurate
-------------------------------------+-------------------------------------
Reporter: Christian Finnberg | Type:
| Uncategorized
Status: new | Component:
| Documentation
Version: dev | Severity: Normal
Keywords: csrf, context | Triage Stage:
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Documentation for django.template.context_processors.csrf in
https://docs.djangoproject.com/en/dev/ref/templates/api/#django-template-
context-processors-csrf is not accurate. It says:
This processor adds a token that is needed by the csrf_token template
tag for protection against Cross Site Request Forgeries.
But the `csrf_token` template tag is independent of this context
processor. This content processor adds a `csrf_token` variable that can be
used for protection against CSRF, but it seems that this is like a
"legacy" method. The recommended way or at least the way Django is
configured by default, is to enable the
django.middleware.csrf.CsrfViewMiddleware middleware, that adds the
`crsf_token` template tag and works independently of this context
processor.
So a different definition may be better. Something like:
If this processor is enabled, every **RequestContext** will contain a
variable **csrf_token** with a CSRF token, or the string 'NOTPROVIDED' if
it has not been provided by either a view decorator or the middleware.
Notice that the `csrf_token` template tag (not this context processor) is
the preferred way to add the CSRF token to the forms.
In any case I think this component's text must be corrected somehow.
--
Ticket URL: <https://code.djangoproject.com/ticket/37032>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Apr 14, 2026, 4:16:41 AMApr 14
to django-...@googlegroups.com
#37032: Documentation for django.template.context_processors.csrf is incorrect or
inaccurate
-------------------------------------+-------------------------------------
Reporter: Christian Finnberg | Owner: (none)
inaccurate
-------------------------------------+-------------------------------------
Type: Uncategorized | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: invalid
Keywords: csrf, context | Triage Stage:
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => invalid
* status: new => closed
Comment:
The docs are correct, the template tag gets the `csrf_token` which is
added by the context processor. However, this context processor is enabled
by default regardless of your settings. See
https://docs.djangoproject.com/en/6.0/ref/templates/api/#:~:text=In%20addition%20to%20these,option
--
Ticket URL: <https://code.djangoproject.com/ticket/37032#comment:1>
Django
Apr 14, 2026, 6:32:15 AMApr 14
to django-...@googlegroups.com
#37032: Documentation for django.template.context_processors.csrf is incorrect or
inaccurate
-------------------------------------+-------------------------------------
Reporter: Christian Finnberg | Owner: (none)
Type: Uncategorized | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: invalid
Keywords: csrf, context | Triage Stage:
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Christian Finnberg):
inaccurate
-------------------------------------+-------------------------------------
Reporter: Christian Finnberg | Owner: (none)
Type: Uncategorized | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: invalid
Keywords: csrf, context | Triage Stage:
processor | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:1 Sarah Boyce]:
> The docs are correct, the template tag gets the `csrf_token` which is
added by the context processor. However, this context processor is enabled
by default regardless of your settings. See
https://docs.djangoproject.com/en/6.0/ref/templates/api/#:~:text=In%20addition%20to%20these,option
Thanks for the correction. I didn't noticed your highlighted paragraph.
added by the context processor. However, this context processor is enabled
by default regardless of your settings. See
https://docs.djangoproject.com/en/6.0/ref/templates/api/#:~:text=In%20addition%20to%20these,option
Sorry for the noise then.
In any case I still think it would be helpful for the developer reading
the documentation to get this information also from the
django.template.context_processors.csrf part. At least I was reading the
part of the documentation about context processors and I was confused
about this one
--
Ticket URL: <https://code.djangoproject.com/ticket/37032#comment:2>
Reply all
Reply to author
Forward
0 new messages