From a29fce89845cc9ca2fa96d8880104726b75dfbd6 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 18 Oct 2018 19:44:15 -0400 Subject: [PATCH] Fixed #29858 -- Clarified docs regarding CSRF token header name. --- docs/ref/csrf.txt | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 5971271003..11edff2407 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -60,9 +60,10 @@ AJAX While the above method can be used for AJAX POST requests, it has some inconveniences: you have to remember to pass the CSRF token in as POST data with every POST request. For this reason, there is an alternative method: on each -XMLHttpRequest, set a custom ``X-CSRFToken`` header to the value of the CSRF -token. This is often easier, because many JavaScript frameworks provide hooks -that allow headers to be set on every request. +XMLHttpRequest, set a custom ``X-CSRFToken`` header (as specified by the +:setting:`CSRF_HEADER_NAME` setting) to the value of the CSRF token. This is +often easier because many JavaScript frameworks provide hooks that allow +headers to be set on every request. First, you must get the CSRF token. How to do that depends on whether or not the :setting:`CSRF_USE_SESSIONS` setting is enabled. @@ -73,13 +74,8 @@ Acquiring the token if :setting:`CSRF_USE_SESSIONS` is ``False`` The recommended source for the token is the ``csrftoken`` cookie, which will be set if you've enabled CSRF protection for your views as outlined above. -.. note:: - - The CSRF token cookie is named ``csrftoken`` by default, but you can control - the cookie name via the :setting:`CSRF_COOKIE_NAME` setting. - - The CSRF header name is ``HTTP_X_CSRFTOKEN`` by default, but you can - customize it using the :setting:`CSRF_HEADER_NAME` setting. +The CSRF token cookie is named ``csrftoken`` by default, but you can control +the cookie name via the :setting:`CSRF_COOKIE_NAME` setting. Acquiring the token is straightforward: