Note: Disabling CSRF is unsafe from security point of view. Please use your judgement to use the below method.
Why this error is happening?
This is happening because of the default
SessionAuthentication scheme used by DRF. DRF’s
SessionAuthentication uses Django’s session framework for authentication which requires CSRF to be checked.
When you don’t define any
authentication_classes in your view/viewset, DRF uses this authentication classes as the default.
'DEFAULT_AUTHENTICATION_CLASSES'= ( 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.BasicAuthentication' ),
Since DRF needs to support both session and non-session based authentication to the same views, it enforces CSRF check for only authenticated users. This means that only authenticated requests require CSRF tokens and anonymous requests may be sent without CSRF tokens.
If you’re using an AJAX style API with SessionAuthentication, you’ll need to include a valid CSRF token for any “unsafe” HTTP method calls, such as
PUT, PATCH, POST or DELETE requests.
What to do then?
Now to disable csrf check, you can create a custom authentication class
CsrfExemptSessionAuthentication which extends from the default
SessionAuthentication class. In this authentication class, we will override the
enforce_csrf() check which was happening inside the actual
from rest_framework.authentication import SessionAuthentication, BasicAuthentication class CsrfExemptSessionAuthentication(SessionAuthentication): def enforce_csrf(self, request): return # To not perform the csrf check previously happening
In your view, then you can define the
authentication_classes to be:
authentication_classes = (CsrfExemptSessionAuthentication, BasicAuthentication)
This should handle the csrf error.