I've read several posts about csrf protection in Django, including Django's documentation , but I'm still quite confused in how to use it correctly.
The clearest part is the HTML one, but the Python's one is kinda confusing.
{% csrf_token %} inside the form
c = {}
c.update(csrf(request))
You need it in every form when displaying and requesting the information, don't you?
Then, how do you include this csrf protection in the return render()? Is this correct?
return render(request,'index.html',{'var':var_value})
or should I include the c somewhere like in the Python documentation example (return render_to_response("a_template.html", c)). Or, if it's correct, is it included in the request var?
And, when not needing to use csrf because I don't have any form. Would this be the right form to return values to a template?
return render(request,'index.html',{'var':var_value})
The point of using the render shortcut is that it then runs all the context processors automatically. Context processors are useful little functions that add various things to the template context every time a template is rendered. And there is a built-in context processor that already adds the CSRF token for you. So, if you use render, there is nothing more to do other than to output the token in the template.