Skip to content
unfault

python.django.missing_csrf

Security Critical

Detects Django views without CSRF protection.

Why It Matters

Section titled “Why It Matters”

Missing CSRF protection:

  • Cross-site request forgery — Attackers can perform actions as user
  • Account takeover — Password/email change attacks
  • Data manipulation — Unauthorized transactions

Example

Section titled “Example”
# ❌ Before (CSRF disabled)
from django.views.decorators.csrf import csrf_exempt


@csrf_exempt
def payment_view(request):
    # Process payment without CSRF check!
    return process_payment(request)
# ✅ After (with CSRF protection)
from django.middleware.csrf import get_token


def payment_view(request):
    # CSRF middleware handles protection automatically
    if request.method == 'POST':
        return process_payment(request)
    return render(request, 'payment.html', {
        'csrf_token': get_token(request)
    })

What Unfault Detects

Section titled “What Unfault Detects”
  • @csrf_exempt decorators
  • Views bypassing CsrfViewMiddleware
  • AJAX endpoints without CSRF headers
Section titled “Related Rules”