Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#29858 closed Cleanup/optimization (fixed)

Clarify docs regarding CSRF token header name

Reported by: Stewart Polley Owned by: nobody
Component: Documentation Version: 2.1
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I'm working on a small new application, and using AXIOS to post back to Django.

Part of this is of course setting the relevant header to include the CSRF token.
Looking at the docs there appears to be contradicting messages about what that heading should be.
Initially we get greeted with this:

For this reason, there is an alternative method: on each XMLHttpRequest, set a custom X-CSRFToken
header to the value of the CSRF token

Later on though we get this blockquote in the docs:

Note
...
The CSRF header name is HTTP_X_CSRFTOKEN by default, but you can customize it using the CSRF_HEADER_NAME setting.

From testing, it appears that X-CSRFToken is indeed the correct header to use, as it's currently functioning, but I'm unsure if this is a bug with Django, or an error in the docs.

If it's an error in the docs, can someone please point me in the direction of how to submit a pull request to fix this?

Change History (9)

comment:1 by Stewart Polley, 6 years ago

Summary: CSRF +CSRF Token headers and documentation

comment:2 by Stewart Polley, 6 years ago

Component: UncategorizedDocumentation

comment:3 by Tim Graham, 6 years ago

Resolution: invalid
Status: newclosed

The difference is explained on the settings reference page:

As with other HTTP headers in request.META, the header name received from the server is normalized by converting all characters to uppercase, replacing any hyphens with underscores, and adding an 'HTTP_' prefix to the name. For example, if your client sends a 'X-XSRF-TOKEN' header, the setting should be 'HTTP_X_XSRF_TOKEN'.

comment:4 by Tim Graham, 6 years ago

Summary: CSRF Token headers and documentationInconsistency in documentation for CSRF token header names
Type: UncategorizedBug

comment:5 by Stewart Polley, 6 years ago

Thanks for that clarification.

Would you be open to making reference to that in the Documentation for CSRF tokens in AJAX Calls?
https://docs.djangoproject.com/en/2.1/ref/csrf/#ajax

(Sorry, getting used to this formatting)

comment:6 by Tim Graham, 6 years ago

Has patch: set
Resolution: invalid
Status: closednew
Summary: Inconsistency in documentation for CSRF token header namesClarify docs regarding CSRF token header name
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

I see your point. The note was moved lower in ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 which didn't help. Could you review my PR?

comment:7 by Stewart Polley, 6 years ago

I'll add some comments in the Pull Request

comment:8 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: newclosed

In a29fce8:

Fixed #29858 -- Clarified docs regarding CSRF token header name.

comment:9 by Tim Graham <timograham@…>, 6 years ago

In 4acdba4:

[2.1.x] Fixed #29858 -- Clarified docs regarding CSRF token header name.

Backport of a29fce89845cc9ca2fa96d8880104726b75dfbd6 from master.

Note: See TracTickets for help on using tickets.
Back to Top