Ajax - Is exposing a session39s CSRF-protection token safe

https://github.com/brosner/django-csrf/blob/master/django_csrf/middleware.py https://github.com/brosner/django-csrf/blob/master/django_csrf/middleware.py

I d like to use AJAX for some POST requests, but said requests don t have the CSRF token availabnle. The pages have no <form> elements to hook into and I d rather not muddy up the markup inserting the token as a hidden value. I figure a good way to do this is to expose a vew like /get-csrf-token/ to return the user s token, relying on browser s cross-site scripting rules to prevent hostile sites from requesting it.

Is this a good idea? Are there better ways to protect against CSRF attacks while still allowing AJAX requests?

If you know you re going to need the CSRF token for AJAX requests, you can always embed it in the HTML somewhere; then you can find it through Javascript by traversing the DOM. This way, you ll still have access to the token, but you re not exposing it via an API.

To put it another way: do it through Django s templates -- not through the URL dispatcher. It s much more secure this way.