Docs: send POST request on base.html does not mention {{ csrf_token }}

Have a look at the section "AJAX " in this documentation page:

It does not mention the highly relevantcsrf_toeken on meta tag on base.html I think it should.

<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />

many case there is use AJAX on root path this action

url(r'^$', Index , name='Index'),


<!DOCTYPE html>
<html lang="en">
    <link rel="stylesheet" href="style.css" />
    <title>{% block title %}My amazing site{% endblock %}</title>

    <div id="sidebar">
        {% block sidebar %}
            <li><a href="/">Home</a></li>
            <li><a href="/blog/">Blog</a></li>
        {% endblock %}

    <div id="content">
        {% block content %}{% endblock %}


{% extends "base.html" %}

{% block title %}{{ section.title }}{% endblock %}

{% block content %}
<h1>{{ section.title }}</h1>

{% endblock %}

now when action index return render , now if users use AJAX on base.html (for example : check session permission on use javascript on page base.html ) howevery this page nothing cookie set csrf_token for send to server side ,

there is 2 way :
1 - use {% csrf_token %} , this create input tag on base.html (this is not good )
2 - use meta tag (<meta content="{{ csrf_token }}" name='csrfmiddlewaretoken' />)

i use 2 , and work it great ,

comment:1 by Aymeric Augustin, 8 years ago

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

in reply to:  1 ; comment:2 by Ramin Farajpour Cami, 8 years ago

Replying to Aymeric Augustin:

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

Hi ,

please look this ,

1 - go to first if you use chrome plz press (ctrl+F5)
2- you see render error
3- please sniff request AJAX (session/current)

you see like this,

Accept-Encoding:gzip, deflate, sdch
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

there isn't csrf_token on cookie,

in reply to:  2 comment:3 by Ramin Farajpour Cami, 8 years ago

Replying to Ramin Farajpour Cami:

Replying to Aymeric Augustin:

It's unclear to me how declaring this <meta> tag causes the CSRF token to be added to AJAX requests.

Are you using JavaScript code to extract it from there and add it to AJAX requests?

Or is this a behavior of <meta> tags that I'm not familiar with?

If the latter, is it a standardized behavior across browsers? Can you provide a like to documentation or compatibility tables?

Hi ,

please look this ,

1 - go to first if you use chrome plz press (ctrl+shift+n)
2- you see render error
3- please sniff request AJAX (session/current)

you see like this,

Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36


there isn't csrf_token on cookie,

comment:4 by Tim Graham, 8 years ago

Summary: Docs: send POST request on base.html does not mention {{ csrf_toeken }}Docs: send POST request on base.html does not mention {{ csrf_token }}

Similar to Aymeric, I'm not sure what behavior you're describing or what documentation should be added. Could you offer a patch to explain it?

comment:5 by Ramin Farajpour Cami, 8 years ago

Hi Tim,

i going to more info for you first time you should sure Afterwards patch,

my means of this ticket ,

def index(req):
   return render(req,'index.html')

and index.html extend with base.html , when render index.html both index.html and base.html handel on browser, now if users use AJAX on base.html in i see on django csrf_token can not handel on base.html , do you think i am mistake please clarification to me,because i see behavior of django ,

rails create meta csrf for layout.html (in django : base.html),

comment:6 by Aymeric Augustin, 8 years ago

Resolution: worksforme
Status: newclosed

Your use case is documented here:

Django doesn't ship JavaScript code that would take advantage the <meta> tag you're describing so there's no use describing that (except if it's a built-in behavior in browsers, which is why I asked for evidence of that behavior, because I'd be surprised if it existed).

comment:7 by Ramin Farajpour Cami, 8 years ago

Hi Aymeric,

but this is not good, Unprotected csrf token, i test now work it, but if csrf token is important for users on base.html for one request of AJAX do you have solution?


comment:8 by Aymeric Augustin, 8 years ago

You need two things:

  1. Create a CSRF token by accessing it. (That will cause the token to be automatically sent in a cookie.)
  2. Get this token from JavaScript. (The most reliable is to look it up from the cookie rather than the DOM.)

I usually solve 1. with a trivial middleware:

class SendCsrfCookie:
    Send a CSRF cookie with every request.

    Any page could trigger an AJAX POST request.

    def process_request(self, request):

and 2. with the method described in the documentation.

I'm having a hard time following your comments. As far as I can tell, you're proposing something for 2. which doesn't work at all but accidentally triggers 1. Then something else makes 2. work in your project. I don't think that makes sense and that's why I'm rejecting the proposal.

We might want to document the middleware technique.

