Tuesday, December 14, 2010

Django's Built In CSRF Defense for AJAX

How django safely bypasses a random CSRF token for AJAX requests.

Django will allow AJAX requests that contain the following header without the need for any CSRF token: X-Requested-With: XMLHttpRequest

See: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

While its true that an individual user could tamper with their own headers, it is not possible to modify another user's headers in a cross domain attack such as CSRF. See discussion here


Intercept a request and remove the X-Requested-With header.
You should get a 403 FORBIDDEN response if the CSRF defense is working correctly.

-Michael Coates - @_mwc