Changed return status for CSRF failures to HTTP 403

By default, Django returns "HTTP 403 Forbidden" responses when CSRF validation failed[1]. CSRF is a case of authorization, not of authentication. Therefore `PermissionDenied` should be raised instead of `AuthenticationFailed`. [1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
2025-01-23 15:54:16 +03:00 · 2014-06-02 00:41:58 +02:00 · 2014-06-02 00:41:58 +02:00 · b187f53453
commit b187f53453
parent 5d80f7f932
1 changed files with 1 additions and 1 deletions
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@ -129,7 +129,7 @@ class SessionAuthentication(BaseAuthentication):
        reason = CSRFCheck().process_view(request, None, (), {})
        if reason:
            # CSRF failed, bail with explicit error message
-            raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason)
+            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)


 class TokenAuthentication(BaseAuthentication):