Search code examples
djangocsrfjinja2

How to csrf_token protection in jinja2 template engine?


In Django template I used:

<form action="/user" method="post">{% csrf_token %}
    {{ form.as_p|safe }}
    <input type="submit" value="Submit" />
</form>

But error when I change to jinja2 template engine:

 Encountered unknown tag 'csrf_token'

My question: csrf_token protection in jinja2 is required?

If required, how to do this?

Thanks in advance!


Solution

  • Yes, you still want to use Cross Site Request Forgery protection, but Jinja2 works a little differently.

    Instead of this default Django Template Language string:

    {% csrf_token %}
    

    You can replace it with this for Jinja2 which has the same behavior of outputting the full hidden HTML input element:

    {{ csrf_input }}
    

    You can also use {{ csrf_token }} by itself in a Jinja2 template to get just the CSRF token itself and manually create your own form field like:

    <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
    

    original post

    docs