I've been working on setting up a new project that's never going to see the light of production, so I went down the road of just disabling CSRF for that purpose. I notably found that the Django admin still requires CSRF, even when the middleware has been removed from the MIDDLEWARE setting. I found this because the development environment I was working in, Codespaces, forwards and redirects to a browser via a public address rather than localhost, and that difference means that CSRF checks were enforced in that environment, though I had no trouble with localhost. There's likely some details I'm missing in laying out this scenario, but it felt interesting enough to mention in the context of this conversation.
-- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/72019908-a072-45fc-bd55-3dbf675711cdn%40googlegroups.com.