.. _ref-contrib-csrf: ===================================== Cross Site Request Forgery protection ===================================== .. module:: django.contrib.csrf :synopsis: Protects against Cross Site Request Forgeries The CSRF middleware and template tag provides easy-to-use protection against `Cross Site Request Forgeries`_. This type of attack occurs when a malicious Web site creates a link or form button that is intended to perform some action on your Web site, using the credentials of a logged-in user who is tricked into clicking on the link in their browser. The first defense against CSRF attacks is to ensure that GET requests are side-effect free. POST requests can then be protected by adding these middleware into your list of installed middleware following the steps below. .. versionadded:: 1.1 The 'contrib' apps, including the admin, depend on the functionality described here. Anyone upgrading from earlier versions should read the `Upgrading notes`_ carefully. .. _Cross Site Request Forgeries: http://www.squarefree.com/securitytips/web-developers.html#CSRF How to use it ============= .. versionchanged:: 1.1 The template tag functionality (the recommended way to use this) was added in version 1.1. The previous method (still available) is described under `Legacy method`_. To enable CSRF protection for your views, follow these steps: 1. Add the middleware ``'django.contrib.csrf.middleware.CsrfViewMiddleware'`` to your list of middleware classes, :setting:`MIDDLEWARE_CLASSES`. (Currently it can come anywhere in the list with respect to other middleware included in Django. It should come before any view middleware that assume that CSRF attacks have been dealt with.) 2. Add ``'django.contrib.csrf'`` to your :setting:`INSTALLED_APPS`. 3. In any template that uses a POST form, first load the 'csrf' template tag library:: {% load csrf %} Then use the ``csrf_token`` tag inside the ``