Understanding CSRF
You must have noticed something called a cross-site request forgery (CSRF) token in the form templates. What does it do? It is a security mechanism against CSRF attacks for your forms.
It works by injecting a server-generated random string called a CSRF token, unique to a user's session. Every time a form is submitted, it must have a hidden field that contains this token. This token ensures that the form was generated for the user by the original site, and proves that it is not a fake form created by an attacker with similar fields.
CSRF tokens are not recommended for forms using the GET
method because the GET
actions should not change the server state. Moreover, forms submitted via GET
would expose the CSRF token in the URLs. Since URLs have a higher risk of being logged or shoulder-sniffed, it is better to use CSRF in forms using the POST
method.