Disable CSRF protection for just one route?
11 views
Skip to first unread message
Eldav
Oct 16, 2025, 6:11:09 PM (3 days ago) Oct 16
to pylons-discuss
Hello list,
just one quick question for confirmation, as I think I know the answer: is it possible to disable CSRF protection for just one route?
In my use case, I don't control the system which will call that route, it's a notification service posting workflow events. HTTP method has to be POST.
If Pyramid can't do it, I'll set up a micro-service, probably with Litestar, writing to the sama database as Pyramid.
Thanks in advance,
Laurent.
Mike Orr
Oct 16, 2025, 6:23:04 PM (3 days ago) Oct 16
to pylons-...@googlegroups.com
I'd have to look up how I set up CSRF detection, but if I'm
remembering correctly it was on just one page, either a
publicly-accessible form to request an account, or on the login form
(which is no longer used since we switched to OAuth2).
You may be able to do something in one of the view callbacks to
override the default setting, such an early view predicate. Or maybe
in an event callback early in the request cycle.
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com.
--
Mike Orr <slugg...@gmail.com>
remembering correctly it was on just one page, either a
publicly-accessible form to request an account, or on the login form
(which is no longer used since we switched to OAuth2).
You may be able to do something in one of the view callbacks to
override the default setting, such an early view predicate. Or maybe
in an event callback early in the request cycle.
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com.
--
Mike Orr <slugg...@gmail.com>
Delta Regeer
Oct 16, 2025, 6:45:00 PM (3 days ago) Oct 16
to pylons-...@googlegroups.com
https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#mapping-views-using-a-decorator-section
require_csrf = False on the view?
Delta Regeer
Oct 16, 2025, 6:45:43 PM (3 days ago) Oct 16
to pylons-...@googlegroups.com
Eldav
Oct 16, 2025, 6:49:07 PM (3 days ago) Oct 16
to pylons-discuss
Thank you everybody,
apparently it's as easy as setting "require_csrf = False" in view_config or a Cornice service indeed. For some reason, I had been convinced during all these years that once enabled, the protection was inflexible. I feel silly for asking such a simple question :|
apparently it's as easy as setting "require_csrf = False" in view_config or a Cornice service indeed. For some reason, I had been convinced during all these years that once enabled, the protection was inflexible. I feel silly for asking such a simple question :|
I stand corrected,
Laurent.
Reply all
Reply to author
Forward
0 new messages