How is csrf_token supposed to work?

V

Vitaly2015-09-28 08:51:31

Django

Vitaly, 2015-09-28 08:51:31

Hello, I have a question about csrf_token . As I understand it, it should provide protection when submitting a form for POST requests.

The screenshot shows that it "hides" the real names of the forms when submitting, and below gives them.
Is this the correct processing of csrf_token or should it be completely hidden?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey Ukolov, 2015-09-28
@alexey-m-ukolov

The CSRF token doesn't hide or reveal anything. This is simply a string by which the server determines that the user has actually requested this action.
It is used to prevent another site from embedding your form under the guise of something else.

X

xozzslip, 2015-09-28
@xozzslip

The csrf-token input itself is not visible because its type attribute is set to hidden . It is transmitted exactly through the input field , since there is no other option to put something in the post request, except to add this same input with some value . And if this field contains only service information and the user does not have to enter anything there, then it is logical to simply hide this field by setting the attribute valuetype="hidden"