On Thu, Jan 20, 2011 at 8:57 PM, Shawn Milochik <sh...@milochik.com> wrote: > > On Jan 19, 2011, at 8:01 PM, scabbage wrote: > >> Is there a way to completely disable CSRF handling? > > Sure, just remove the CSRF middleware from your settings.py.
While this advice is 100% accurate, I'd would *strongly* caution you not to follow it. If someone has a problem losing their house keys, the solution isn't to remove your front door. Yes, removing the door does remove the need for keys, but also leaves your house open to the weather, animals, criminals, and so on. The fix, while it does solve the immediate problem, makes the overall situation much worse. Django's CSRF framework exists, and is enabled by default, for a reason. CSRF attacks are both real and common, and defence against CSRF is an important part of any serious web deployment. If you're having difficulty with CSRF, the solution isn't to disable CSRF. The solution is to work out what CSRF protection means, and how to use it correctly. Although it's a little esoteric, and a little unusual if you've come from a web framework that doesn't enforce good security practices, it isn't *that* hard to use. You would be well served to understand what is going on, rather than making the CSRF problem go away by ignoring it. Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
