How django safely bypasses a random CSRF token for AJAX requests.
Django will allow AJAX requests that contain the following header without the need for any CSRF token: X-Requested-With: XMLHttpRequest
See: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
While its true that an individual user could tamper with their own headers, it is not possible to modify another user's headers in a cross domain attack such as CSRF. See discussion here
Testing?
Intercept a request and remove the X-Requested-With header.
You should get a 403 FORBIDDEN response if the CSRF defense is working correctly.
-Michael Coates - @_mwc