jrief
commented
8 years ago Form Validation uses the Django solution with the hidden field.
Have a look at Model Scope and Combined Validation. There I use the $httpProvider.defaults.headers.common['X-CSRFToken'].
The demo is not sending the XSRF token as header like described here https://docs.angularjs.org/api/ng/service/$http.
POST /formvalidation/ HTTP/1.1 Host: django-angular.awesto.com Connection: keep-alive Content-Length: 302 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8 Origin: http://django-angular.awesto.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://django-angular.awesto.com/form_validation/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,pt-BR;q=0.6,pt;q=0.4 Cookie: csrftoken=x1hWNrjQTsvIJC4aHaezAbbru4ohts9X