errant wraith
Hi,
I want to build APIs using Django (no DRF) and I decided to use the built-in autentication. When I call http://127.0.0.1:8000/accounts/login with the credentials in the request body I always get the error in the title. I did not remember well how CSRF attacks work and how a CSRF token can help to mitigate them, so I did some research. It seems that to a CSRF attack to happen these conditions must be satisfied:
- there must be an action that an attacker finds interesting to perform (placing an Amazon order on the behalf of the victim and shipping it to their address)
- a vulnerable website that uses cookies for authentication (session cookies) and does not verify anything else other then the authentication cookie
- predictable query params
The CSRF token, if I understood correctly, must be generated by the server-side application and shared with the client (how? I read that it should be embedded in HTML). I do use session cookies because that's how Django built-in authentication work but there is no server-side rendering happening, so how do I get a CSRF token for the login endpoint? Is it even necessary?
royal isle