Do CSRF attacks apply to API’s?

by

That’s not the purpose of CSRF protection. CSRF protection is to prevent direct posting of data to your site. In other words, the client must actually post through an approved path, i.e. view the form page, fill it out, submit the data.

An API pretty much precludes CSRF, because its entire purpose is generally to allow 3rd-party entities to access and manipulate data on your site (the “cross-site” in CSRF). So, yes, I think as a rule any API view should be CSRF exempt. However, you should still follow best practices and protect every API-endpoint that actually makes a change with some form of authentication, such as OAuth.

More Related Contents:

  1. find_element_by_class_name for multiple classes [duplicate]
  2. What’s the purpose of Django setting ‘SECRET_KEY’?
  3. ‘pip’ is not recognized as an internal or external command
  4. What is the difference between null=True and blank=True in Django?
  5. Django REST Framework upload image: “The submitted data was not a file”
  6. How to send email via Django?
  7. Difference between static STATIC_URL and STATIC_ROOT on Django
  8. Django Query That Get Most Recent Objects From Different Categories
  9. Django rest framework serializing many to many field
  10. How to compare two JSON objects with the same elements in a different order equal?
  11. How to replace Django’s primary key with a different integer that is unique for that table
  12. How to encode UTF8 filename for HTTP headers? (Python, Django)
  13. Django Model MultipleChoice
  14. No web processes running Django in heroku
  15. Django – what is the difference between render(), render_to_response() and direct_to_template()?
  16. ‘NOT NULL constraint failed’ after adding to models.py
  17. Unresolved attribute reference ‘objects’ for class ” in PyCharm
  18. Django: How to allow a Suspicious File Operation / copy a file
  19. How to change ForeignKey display text in the Django Admin?
  20. Nested inlines in the Django admin?
  21. Reverse for ‘*’ with arguments ‘()’ and keyword arguments ‘{}’ not found
  22. Django-tastypie: Any example on file upload in POST?
  23. auth.User.groups: (fields.E304) Reverse accessor for ‘User.groups’ clashes with reverse accessor for ‘UserManage.groups’
  24. Django-DB-Migrations: cannot ALTER TABLE because it has pending trigger events
  25. Good ways to sort a queryset? – Django
  26. Django — Conditional Login Redirect
  27. How do I access dictionary keys that contain hyphens from within a Django template?
  28. CSRF validation does not work on Django using HTTPS
  29. How to properly use the “choices” field option in Django
  30. How to use custom AdminSite class?

Leave a Comment