X-CSRFToken header not found in the request.headers dict

maxcountryman / flask-seasurf

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).

http://readthedocs.org/docs/flask-seasurf/

Other

190 stars 49 forks source link

X-CSRFToken header not found in the request.headers dict #1

Closed ericem closed 12 years ago

ericem commented 12 years ago

You mention in the documentation that you look for X-CSRFToken in the request headers however you are actually doing a request.headers.get('HTTP_X_CSRFTOKEN', '') which is not a valid header and consequently fails every time. 'HTTP_X_CSRFTOKEN' needs to be replaced with 'X-CSRFToken'.

I am trying out SeaSurf with Backbone.js and aside from this issue, works great!

maxcountryman commented 12 years ago

Good catch! I'll update accordingly. Thank you.

graingert commented 12 years ago

This probably happened due to Django's META key munging

"With the exception of CONTENT_LENGTH and CONTENTTYPE, as given above, any HTTP headers in the request are converted to META keys by converting all characters to uppercase, replacing any hyphens with underscores and adding an HTTP prefix to the name. So, for example, a header called X-Bender would be mapped to the META key HTTP_X_BENDER."