I am curious: I know there are 2 ways of csrf protection in Django: {% csrf_token %} in templates and @csrf_protect in views.
So, question is: are they interchangeable? I mean I can use for example only @csrf_protect i my views without {% csrf_token %} tag in my templates and effect will be the same?
I'm asking that because I use mako in recent Django project and there is no such tag as {% csrf_token %}...
You need both. {% csrf_token %} adds hidden fields that is included in POST requests. While @csrf_protect adds a context variable that is used by {% csrf_token %}.