About CSRF Token Cookie for Dynamic Forms

Django CSRF token is sent as a cookie only in those views which have the token rendered, e.g. the view with a form that uses the POST method.

If you create some forms on any page dynamically, e.g. chat or feedback form, you might need to explicitly trigger CSRF token creation in a custom middleware that calls the get_token() function.

Here is an example of such middleware:

def ensure_csrf_cookie_middleware(get_response):
    def middleware(request):
        from django.middleware.csrf import get_token

        get_token(request)

        response = get_response(request)
        return response

    return middleware

Include it in your settings and make it reachable by JavaScript as follows:

MIDDLEWARE = [
    "myproject.apps.core.middleware.ensure_csrf_cookie_middleware",
    # ...
]
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = False

A middleware like this also ensures that no cached token is provided in the rendered template to an unrelated visitor.

Tips and Tricks Programming Security Django 5.2 Django 4.2 Django 3.2 JavaScript

Also by me

Django Paddle Subscriptions app

For Django-based SaaS projects.

Django App for You
Django GDPR Cookie Consent app

For Django websites that use cookies.

Django App for You
Django 3 Web Development Cookbook - Fourth Edition
Book for You
Django 3 Web Development Cookbook

Learn how to build practical web projects with Django 3.
1st things 1st
SaaS for You
Online prioritizer "1st things 1st"

It's not for everyone, but it might be for you!