Fixed #21495 -- Added settings.CSRF_HEADER_NAME

2025-11-13 17:09:28 +00:00 · 2015-02-21 22:57:02 +01:00 · 2015-02-21 22:57:02 +01:00 · 668d53cd12
commit 668d53cd12
parent 8e744fa150
7 changed files with 41 additions and 1 deletions
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@ -555,6 +555,7 @@ CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = '/'
 CSRF_COOKIE_SECURE = False
 CSRF_COOKIE_HTTPONLY = False
+CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'

 ############
 # MESSAGES #
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@ -183,7 +183,7 @@ class CsrfViewMiddleware(object):
            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX,
                # and possible for PUT/DELETE.
-                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
+                request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')

            if not constant_time_compare(request_csrf_token, csrf_token):
                return self._reject(request, REASON_BAD_TOKEN)