Django and AngularJS both have CSRF support already, your part is quite simple.
First, you need to enable CSRF in Django, I believe you have already done so, if not, follow Django doc https://docs.djangoproject.com/en/1.5/ref/contrib/csrf/#ajax.
Now, Django will set a cookie named csrftoken
on the first GET request and expects a custom HTTP header X-CSRFToken
on later POST/PUT/DELETE requests.
For Angular, it expects the cookie named XSRF-TOKEN
and will do POST/PUT/DELETE requests with X-XSRF-TOKEN
header, so you need to do a little bit tweak to make the two go with each other:
$httpProvider.defaults.xsrfCookieName="csrftoken";
$httpProvider.defaults.xsrfHeaderName="X-CSRFToken";
Add above two lines somewhere in your js code, module.config() block is a good place for this.
That’s it.
NOTE: This is for angular 1.1.5, older versions might need different approach.
Update:
Since the angular app isn’t served by django, in order to let the cookie to be set, angular app needs to do a GET request to django first.