Home > Software design >  Should csrf_token be used when posting form data to external website/ server?
Should csrf_token be used when posting form data to external website/ server?

Time:12-29

Im new to Django. Im setting up a bank payment option (banklink) to my django website. As per the banks technical docs I have to post certain key/ value data to their endpoint. Im using an html form to POST the data and Im wondering if it is needed to add the {% csrf_token %} to the form that is being posted to the bank endpoint? If I post the data to my own endpoint then the form wont even work without the csrf token, but it seems to work when POSTing to an external endpoint. I assume if the external endpoint isnt using django then the added csrf_token value in POST data wouldnt mean anything to them anyways. Or are there any other considerations I should evaluate?

Thank you

CodePudding user response:

Indeed, you should not include {% csrf_token %} when POSTing to an external endpoint, as stated by the Django documentation:

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

There are no other necessary considerations I can think of, except for adhering to the technical docs of the bank of course.

  • Related