Django uses a hidden field approach to prevent CSRF attacks. A token is generated on the server, based on a combination of request-specific and randomized information. Through CsrfViewMiddleware, this token is automatically made available via the request context. While it is not recommended to disable this middleware, it is possible to mark individual views to get the same behavior by applying the @csrf_protect decorator:

from django.views.decorators.csrf import csrf_protect@csrf_protectdef my_protected_form_view():    # …

Similarly, we can exclude individual views from CSRF checks, even when the middleware is enabled, by using the @csrf_exempt decorator:

from django.views.decorators.csrf import csrf_exempt@csrf_exemptdef my_unsecured_form_view(): ...