Add information on how to deal with CSRF protection

2025-07-13 01:32:24 +03:00 · 2019-12-27 15:05:06 +00:00 · 2019-12-27 15:05:06 +00:00 · 56cbecb3d1
commit 56cbecb3d1
parent 7940a7b954
1 changed files with 23 additions and 1 deletions
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -66,4 +66,26 @@ The most basic ``schema.py`` looks like this:
    schema = graphene.Schema(query=Query)


-To learn how to extend the schema object for your project, read the basic tutorial.
+To learn how to extend the schema object for your project, read the basic tutorial.
+
+CSRF exempt
+-----------
+
+If have enabled `CSRF protection <https://docs.djangoproject.com/en/3.0/ref/csrf/>`_ in your Django app
+you will find that it prevents your API clients from POSTing to the ``graphql`` endpoint. You can either
+update your API client to pass the CSRF token with each request (the Django docs have a guide on how to do that: https://docs.djangoproject.com/en/3.0/ref/csrf/#ajax) or you can exempt your Graphql endpoint from CSRF protection by wrapping the ``GraphQLView`` with the ``csrf_exempt``
+decorator:
+
+.. code:: python
+
+    # urls.py
+
+    from django.urls import path
+    from django.views.decorators.csrf import csrf_exempt
+
+    from graphene_django.views import GraphQLView
+
+    urlpatterns = [
+        # ...
+        path("graphql", csrf_exempt(GraphQLView.as_view(graphiql=True))),
+    ]