In many cases, it is desirable to enhance a form so that it can be submitted over Ajax. These also need to be protected using CSRF tokens, and while it is possible to inject the token as extra data in each request, using such an approach requires developers to remember to do so for each and every POST request. The alternative of using a CSRF token header exists and it makes things more efficient.

First, the token value needs to be retrieved, and how we do this depends on the value of the CSRF_USE_SESSIONS setting. When it is True, the token is stored in the session rather than a cookie, so we must use the {% csrf_token %} tag to include it in the DOM. Then, we can read that element to retrieve the data in JavaScript:

var input ...