khalsa labs

What is csrf exempt in django – @csrf_exempt ?

Csrf exempt is a cool feature of django which allows bypassing of csrf verification by django.


By default, django check for csrf token with each POST request, it verifies csrf token before rendering the view. Its a very good security practice to verify csrf of post requests as we know django can’t be compromised in case of security.

Then why do we need csrf_exempt??

The answer is simple, to customize django view. In some cases we do not need csrf validations, e.g for public APIs, common AJAX request, REST APIs.

csrf exempt

To suppress csrf verification message, we can use @csrf_exempt decorator for specific view.

from django.views.decorators.csrf import csrf_exempt
from django.http import HttpResponse

def public_api(request):
    if request.method=='POST':
       return HttpResponse('API hit with post method')


Above API will allow a post call without adding csrf parameter in it. Otherwise you have to send csrf token for API calls in django.

I hope it is enough to understand  what is csrf exempt and why we use it. Any other questions related csrf tokens you can ask freely in comments.


03 comments on “What is csrf exempt in django – @csrf_exempt ?

  • Ruslan , Direct link to comment

    but we need crf check how I understand.
    And if I use Angular for the frontend I will use crf token from cookies?

    • Harman Singh , Direct link to comment

      Hi Ruslan,
      Yes, you are right. If you are using django with angular, cookies would be the right way to do csrf verification.
      This is more similar to the csrf verification method with AJAX in django.
      You can have reference from this project django-angular also.
      Let me know if you face any other difficulty, I would love to help.

  • hariprasad Kothapalli , Direct link to comment

    Forbidden (403)
    CSRF verification failed. Request aborted.

    Please help me in the above issue.

Leave a comment

Your email address will not be published.


Subscribe to Khalsa Labs