Tuesday, February 26, 2013

Django, Ajax, Post, and CSRF

I was having a little trouble putting together a simple ajax request and response with Django. It seems like it should be simple task—just use the jquery ajax methods in the html page to call a simple view from the Django site. How hard can that be? Well it turns out that there are three major issues I had to overcome, but taking those into account it is actually very simple.

First, Django uses some middleware to avoid cross-site request forgery, which is essentially where another site pretends to be your site and submits requests to the URL that is designed to accept your form data. Attempts to make the request were failing with a 403 error, which means I was not authorized to make the request.

Second, Django has some logic in the dispatcher of the class-based-views that will not allow a POST request without specific code for the post. Normally this is a security benefit and a general convenience, and not something that has to be considered. But in this case I wanted to use POST so I had to choose the right method to override in my class based view.

Third, the template and view system of Django is designed to deliver templated data. Instead, I wanted to return raw JSON strings without all of the surrounding HTML and all of the rigamarole that comes with it. Fortunately, that is easily overriden in the class-based views.

A quick note on class-based views in Django:  Traditional views in Django were very simple--a function was defined for each view and and at the end it called a rendering method that passed a context with any data to send to the view along with the name of a template to fill with the data. It was stupid simple and allowed the building of dynamic web applications with very little code. But as the application got more complex, it turned out that there were lots of things that needed to be included in each view method, such as passing along session variables or setting headers or other things. In addition, a whole group of views might have a specific security or formatting characteristic in common that needed to be repeated over and over. These could be abstracted out into methods or decorators applied to the methods, but even those were tedious to use. The class-based views might seem slightly more complicated at first, but after a while their power and timesaving-abilities quickly become evident.

I should also note that I am using Django version 1.4.1. In searching for solutions to these issues, it was clear that the handling of CSRF has improved in each new version, and the older solutions outlined are not necessarily valid or necessary in version 1.4.1.

Solving the CSRF problem was the first hurdle. The problem could be solved by turning off the protection provided by the CSRF middleware, but why make it easier to exploit or bring down your web application? Especially when the solution is so simple. I went through several iterations of applying decorators to the sending and the receiving views, messing with headers, etc., and finally settled on the extremely simple task of including the CSRF token in the JSON data sent with the post request. Using jQuery, the javascript call to send the data (in this case, just a name and email) was simply:

    url:"{% url process_request %}",
    data: {name:nameText,
            csrfmiddlewaretoken:'{{ csrf_token }}'
    ; },
    dataType: "json",
    type: "POST",
    success: successFunction,
    error: errorFunction


The key here is the csrfmiddlewaretoken data sent. That is basically all that is necessary to avoid the 403 error. No additional decorators or headers or cookies are needed.

The next hurdle was the question of the POST request. My page was successfully making the request, but my server was denying the request with a 405 error because the POST request was not the proper type. I eventually settled on a very simple use of the class-based views to properly process the data. The view that receives the data should be descended from the django.views.generic.View class. So we simply need this:

from django.http import HttpResponse

from django.views.generic import View

from json import dumps
class ProcessRequestInfoView(View):

    def post(self, context, **response_kwargs):
        name = self.request.POST.get('name','')
        email = self.request.POST.get('email','')
        ... do some work here processing the data 
            and make the response anything you like ...
        response = {"result":"OK","greeting":greeting} 
        return HttpResponse(dumps(response))

You don't need to do anything with the CSRF token...it is all handled automatically by the middleware. whatever you put in the "response" object is rendered into json and sent back to your success function as defined in the javascript.

The final issue, the need for POST is resolved by the view code above as well. Note that the "post" method is used to process the data. This tells Django to use a post request and that a post request is valid. And in the javascript above, note that we explicitly mark the dataType as JSON. These two things ensure that the POST request is allowed and processed, and that the return data is interpreted as JSON.

There is probably other stuff to do that is recommended which I don't know about, such as content-type headers or cookie settings, or whatever. If you know of something I left out, please drop me a comment! But given all the different info I found floating around about this, I am happy to report that this simple recipe works.


  1. Thanks a lot for this solution about 'csrftoken' and ajax with django pattern

  2. All of this can be quite confusing and discouraging. The best advice I can give is that it looks more complicated that what it actually is. Don't be afraid to do some trial and error to figure things out, within reason.this

  3. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or learn thru Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai

  4. Valuable Post!!! Kanhasoft is the top rated Django Web Development Company in India and USA. Hire dedicated Django developers at affordable rate. Visit our website for more.

  5. This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got good knowledge.
    WordPress website development Chennai

  6. This web site is really a walk-through for all of the info you wanted about this and didn?t know who to ask. Glimpse here, and you?ll definitely discover it.
    download drastic ds emulator apk for free

  7. This is a nice article here with some useful tips for those who are not used-to comment that frequently. Thanks for this helpful information I agree with all points you have given to us. I will follow all of them.
    Java training in Chennai

    Java training in Bangalore

  8. After reading this web site I am very satisfied simply because this site is providing comprehensive knowledge for you to audience.
    Thank you to the perform as well as discuss anything incredibly important in my opinion. We loose time waiting for your next article writing in addition to I beg one to get back to pay a visit to our website in

    Selenium training in bangalore
    Selenium training in Chennai
    Selenium training in Bangalore
    Selenium training in Pune
    Selenium Online training

  9. I thought protecting the website from the hackers is a hectic task. This post makes it easy for the developers and business people to protect the website. Keep sharing posts like this…
    Hire Cake Php Programmer
    Hire Phonegap Developer
    Hire Dedicated Laravel Developer
    Hire Dedicated Developers
    Hire Cake Php Developer

  10. thanks for your information really good and very nice web design company in velachery

  11. Whatever we gathered information from the blogs, we should implement that in practically then only we can understand that exact thing clearly, but it’s no need to do it, because you have explained the concepts very well. It was crystal clear, keep sharing..
    Java Training in Chennai
    Java Training in Coimbatore
    Java Training in Bangalore

  12. thanks for your information really good and very nice web design company in velachery

  13. Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.web design company in velachery

  14. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  15. Great blog thanks for sharing Looking for the best creative agency to fuel new brand ideas? Adhuntt Media is not just a digital marketing company in chennai. We specialize in revamping your brand identity to drive in best traffic that converts. Buckle up for a ride that is going to be filled with SEO, Social media marketing, unique Graphic & Logo design and efficient ads strike the perfect chord! Join the Adhuntt Media adventure right at Adhuntt Media.
    digital marketing company in chennai

  16. Nice blog thanks for sharing Is this a special day for you? Beautiful and fragrant flowers are sure to make it even more amazing of a day no doubt. This is why Karuna Nursery Gardens offers you the best rental plants in Chennai that too at drop dead prices.
    plant nursery in chennai

  17. Excellent blog thanks for sharing Pixies beauty Shop is the best place to buy cosmetics in Chennai. With thousands of premium imported brands to choose from, you’ll never run out of lipstick again. And don’t forget about the best offers and value they provide.
    beauty Shop in Chennai

  18. Really very happy to say, your post is very interesting to read. I never stop myself to say something about it. You’re doing a great job. Keep it up…

    Upgrade your career Learn Oracle Training from industry experts gets complete hands on Training, Interview preparation, and Job Assistance at Softgen Infotech.

  19. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  20. Very useful blog thanks for sharing IndPac India the German technology Packaging and sealing machines in India is the leading manufacturer and exporter of Packing Machines in India.