493
A number of settings can be used to control Django's CSRF behavior.
500
The domain to be used when setting the CSRF cookie. This can be useful for
501
easily allowing cross-subdomain requests to be excluded from the normal cross
502
site request forgery protection. It should be set to a string such as
503
``".example.com"`` to allow a POST request from a form on one subdomain to be
504
accepted by a view served from another subdomain.
506
Please note that, with or without use of this setting, this CSRF protection
507
mechanism is not safe against cross-subdomain attacks -- see `Limitations`_.
512
Default: ``'csrftoken'``
514
The name of the cookie to use for the CSRF authentication token. This can be
520
.. versionadded:: 1.4
524
The path set on the CSRF cookie. This should either match the URL path of your
525
Django installation or be a parent of that path.
527
This is useful if you have multiple Django instances running under the same
528
hostname. They can use different cookie paths, and each instance will only see
534
.. versionadded:: 1.4
538
Whether to use a secure cookie for the CSRF cookie. If this is set to ``True``,
539
the cookie will be marked as "secure," which means browsers may ensure that the
540
cookie is only sent under an HTTPS connection.
545
Default: ``'django.views.csrf.csrf_failure'``
547
A dotted path to the view function to be used when an incoming request
548
is rejected by the CSRF protection. The function should have this signature::
550
def csrf_failure(request, reason="")
552
where ``reason`` is a short message (intended for developers or logging, not for
553
end users) indicating the reason the request was rejected.
492
A number of settings can be used to control Django's CSRF behavior:
494
* :setting:`CSRF_COOKIE_DOMAIN`
495
* :setting:`CSRF_COOKIE_HTTPONLY`
496
* :setting:`CSRF_COOKIE_NAME`
497
* :setting:`CSRF_COOKIE_PATH`
498
* :setting:`CSRF_COOKIE_SECURE`
499
* :setting:`CSRF_FAILURE_VIEW`