CsrfViewMiddleware
Require a present and correct csrfmiddlewaretoken for POST requests that have a CSRF cookie, and set an outgoing CSRF cookie.
This middleware should be used in conjunction with the {% csrf_token %} template tag.
Attributes
| Attribute | Type | Description |
|---|---|---|
| csrf_trusted_origins_hosts | list of strings | A list of network locations extracted from the CSRF_TRUSTED_ORIGINS setting used for validating the Referer header on secure requests. |
| allowed_origins_exact | set of strings | A set of fully qualified origins from settings that do not contain wildcards, used for direct matching against the Origin header. |
| allowed_origin_subdomains | dict | A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed. |
Constructor
Signature
def CsrfViewMiddleware(
get_response: callable = null
) - > null
Parameters
| Name | Type | Description |
|---|---|---|
| get_response | callable = null | The next middleware or view in the chain, typically passed by the Django middleware loader. |
Methods
csrf_trusted_origins_hosts()
@classmethod
def csrf_trusted_origins_hosts() - > list
Extracts the network locations from the configured CSRF_TRUSTED_ORIGINS setting. This list is used to validate the Referer header for secure requests.
Returns
| Type | Description |
|---|---|
list | A list of hostnames (netlocs) with leading wildcards removed. |
allowed_origins_exact()
@classmethod
def allowed_origins_exact() - > set
Filters the trusted origins to identify those that do not contain wildcards. This set is used for direct equality checks against the Origin header.
Returns
| Type | Description |
|---|---|
set | A set of exact origin strings allowed by the configuration. |
allowed_origin_subdomains()
@classmethod
def allowed_origin_subdomains() - > dict
A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed.
Returns
| Type | Description |
|---|---|
dict | A dictionary where keys are URI schemes and values are lists of hostnames that permit subdomain access. |
process_request()
@classmethod
def process_request(
request: [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest)
) - > null
Initializes CSRF protection for an incoming request by retrieving the existing secret or preparing a new one. It ensures the secret is available in the request metadata for later stages.
Parameters
| Name | Type | Description |
|---|---|---|
| request | [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest) | The incoming request to process. |
Returns
| Type | Description |
|---|---|
null | None; modifies the request metadata in-place. |
process_view()
@classmethod
def process_view(
request: [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest),
callback: function,
callback_args: list,
callback_kwargs: dict
) - > [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse)
Main entry point for CSRF validation logic before a view is executed. It skips checks for exempt views and safe HTTP methods, while enforcing Origin, Referer, and Token checks for unsafe methods.
Parameters
| Name | Type | Description |
|---|---|---|
| request | [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest) | The current request being processed. |
| callback | function | The view function that Django is about to call. |
| callback_args | list | Positional arguments for the view. |
| callback_kwargs | dict | Keyword arguments for the view. |
Returns
| Type | Description |
|---|---|
[HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse) | A rejection response if validation fails, or None to allow the view to proceed. |
process_response()
@classmethod
def process_response(
request: [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest),
response: [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse)
) - > [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse)
Finalizes CSRF handling by updating the CSRF cookie or session if the 'CSRF_COOKIE_NEEDS_UPDATE' flag was set during the request cycle.
Parameters
| Name | Type | Description |
|---|---|---|
| request | [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest) | The request object used to check for update flags. |
| response | [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse) | The response object to be sent to the client. |
Returns
| Type | Description |
|---|---|
[HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse) | The response object, potentially modified with a new CSRF cookie. |