Im new to Django. Im setting up a bank payment option (banklink) to my django website. As per the banks technical docs I have to post certain key/ value data to their endpoint. Im using an html form to POST the data and Im wondering if it is needed to add the {% csrf_token %} to the form that is being posted to the bank endpoint? If I post the data to my own endpoint then the form wont even work without the csrf token, but it seems to work when POSTing to an external endpoint. I assume if the external endpoint isnt using django then the added csrf_token value in POST data wouldnt mean anything to them anyways. Or are there any other considerations I should evaluate?
Thank you
CodePudding user response:
Indeed, you should not include {% csrf_token %}
when POSTing to an external endpoint, as stated by the Django documentation:
This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.
There are no other necessary considerations I can think of, except for adhering to the technical docs of the bank of course.