Home Features Philosophy Docs Blog Errors Security Examples FAQ
Get Started GitHub
DJE-002 Error Security

Missing CSRF protection on WebSocket-adjacent views

Error message

CSRF token missing or incorrect on form submission

When mixing WebSocket-driven LiveViews with traditional Django form views, developers sometimes apply @csrf_exempt thinking WebSocket connections handle authentication differently. This exposes form endpoints to CSRF attacks.

csrf security websocket

Affected versions: >=0.2.0

Solution

Before (problematic) 
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt  # BAD: Disabling CSRF on form view
def update_profile(request):
    if request.method == "POST":
        # process form...
        pass
After (fixed) 
def update_profile(request):
    if request.method == "POST":
        # CSRF is automatically validated by middleware
        # Ensure template includes {% csrf_token %}
        pass
Back to Error Reference