diff options
| author | Grzegorz Slusarek <gslusarek@gmail.com> | 2015-02-21 22:57:02 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-05 15:03:40 -0500 |
| commit | 668d53cd125175eb708cc0af143f47b42cd42153 (patch) | |
| tree | 6b1ef6d43985ba7670756f92ea2c2770b56baf53 /docs/ref | |
| parent | 8e744fa1507b6d425860c54e7673e603279367eb (diff) | |
Fixed #21495 -- Added settings.CSRF_HEADER_NAME
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/csrf.txt | 4 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 18 |
2 files changed, 22 insertions, 0 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 4eaf710354..fbed973952 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -92,6 +92,9 @@ protection for your views as outlined above. The CSRF token cookie is named ``csrftoken`` by default, but you can control the cookie name via the :setting:`CSRF_COOKIE_NAME` setting. + The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can + customize it using the :setting:`CSRF_HEADER_NAME` setting. + Acquiring the token is straightforward: .. code-block:: javascript @@ -456,3 +459,4 @@ A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` +* :setting:`CSRF_HEADER_NAME` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6db21f179d..497f321531 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -409,6 +409,23 @@ where ``reason`` is a short message (intended for developers or logging, not for end users) indicating the reason the request was rejected. See :doc:`/ref/csrf`. +.. setting:: CSRF_HEADER_NAME + +CSRF_HEADER_NAME +---------------- + +.. versionadded:: 1.9 + +Default: ``'HTTP_X_CSRFTOKEN'`` + +The name of the request header used for CSRF authentication. + +As with other HTTP headers in ``request.META``, the header name received from +the server is normalized by converting all characters to uppercase, replacing +any hyphens with underscores, and adding an ``'HTTP_'`` prefix to the name. +For example, if your client sends a ``'X-XSRF-TOKEN'`` header, the setting +should be ``'HTTP_X_XSRF_TOKEN'``. + .. setting:: DATABASES DATABASES @@ -3261,6 +3278,7 @@ Security * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` * :setting:`CSRF_FAILURE_VIEW` + * :setting:`CSRF_HEADER_NAME` * :setting:`SECRET_KEY` * :setting:`X_FRAME_OPTIONS` |
