#29858 closed Cleanup/optimization (fixed)
Clarify docs regarding CSRF token header name
Reported by: | Stewart Polley | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 2.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I'm working on a small new application, and using AXIOS to post back to Django.
Part of this is of course setting the relevant header to include the CSRF token.
Looking at the docs there appears to be contradicting messages about what that heading should be.
Initially we get greeted with this:
For this reason, there is an alternative method: on each XMLHttpRequest, set a custom X-CSRFToken
header to the value of the CSRF token
Later on though we get this blockquote in the docs:
Note
...
The CSRF header name is HTTP_X_CSRFTOKEN by default, but you can customize it using the CSRF_HEADER_NAME setting.
From testing, it appears that X-CSRFToken is indeed the correct header to use, as it's currently functioning, but I'm unsure if this is a bug with Django, or an error in the docs.
If it's an error in the docs, can someone please point me in the direction of how to submit a pull request to fix this?
Change History (9)
comment:1 by , 6 years ago
Summary: | CSRF + → CSRF Token headers and documentation |
---|
comment:2 by , 6 years ago
Component: | Uncategorized → Documentation |
---|
comment:3 by , 6 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:4 by , 6 years ago
Summary: | CSRF Token headers and documentation → Inconsistency in documentation for CSRF token header names |
---|---|
Type: | Uncategorized → Bug |
comment:5 by , 6 years ago
Thanks for that clarification.
Would you be open to making reference to that in the Documentation for CSRF tokens in AJAX Calls?
https://docs.djangoproject.com/en/2.1/ref/csrf/#ajax
(Sorry, getting used to this formatting)
comment:6 by , 6 years ago
Has patch: | set |
---|---|
Resolution: | invalid |
Status: | closed → new |
Summary: | Inconsistency in documentation for CSRF token header names → Clarify docs regarding CSRF token header name |
Triage Stage: | Unreviewed → Accepted |
Type: | Bug → Cleanup/optimization |
I see your point. The note was moved lower in ddf169cdaca91e92dd5bfe6796bb6f38369ecb68 which didn't help. Could you review my PR?
The difference is explained on the settings reference page: