### Adding a Form:

Add a fomr inside the index.html file, the form should have the following inpust:
- 1x text input
- 1x button

Your index.html file should look like the following block:

If you save everything and request the root address, you will see that everything works just fine.<br><br>
Additionally, if you click on the send button, you will notice that the uname input field and its value get added to the URL of the page.<br>
Please understand that each time you click the send button, your form gets submitted and the page reloads.<br><br>
What you have witnessed is the standard behavior of HTML buttons inside the form tag. The reason for this is that the default type of buttons within a form tag is submit. You can change the button type to button if you do not want the form to be submitted when you click on it.<br>

### What Submitting a Form Means

Submitting a form means sending the data entered in the form fields to the server for processing. This is typically done in one of two ways:

1. GET Method: When the form data is appended to the URL as query parameters. This is useful for search forms where you want the URL to be shareable.
2. POST Method: When the form data is sent in the body of the HTTP request, making it more suitable for sensitive information or larger datasets.

When a form is submitted, the browser performs the following steps:

1. Gathers all the form data.
2. Sends an HTTP request to the server with this data.
3. The server processes the request and returns a response.
4. The browser then reloads the page with the server's response.

By default, forms use the GET method if no method is specified. You can specify the method by adding the method attribute to the form tag, like so:

In [None]:
<form method="post">

### Changing Button Behavior

If you don't want the form to submit when a button is clicked, you can change the button type to button instead of submit:

In [None]:
<button type="button">Click Me</button>

This way, the button can be used for other actions, like triggering JavaScript functions, without submitting the form.

### Changing the Form Method to POST

To change the form method to POST, you need to add an attribute called method and set it to POST.

Your form tag should look like the following block:

### If you save everything, reload the page, and click on send, you will get a Forbidden error.

The reason is that Django has built-in protection against Cross-Site Request Forgery (CSRF) attacks. When you use the POST method, Django requires a CSRF token to be included in the form to validate the request.

#### What is CSRF?

CSRF stands for Cross-Site Request Forgery. It is a type of security vulnerability in web applications where an attacker tricks a user into performing actions on a web application in which they are authenticated, without their consent. This can lead to unauthorized actions being performed on behalf of the user.

#### How CSRF Attacks Work:

1. Authentication Context: The user is logged into a web application.
2. Malicious Request: The attacker crafts a malicious request (usually in the form of a URL, form submission, or an image load) and somehow convinces the user to execute it (by visiting a malicious website, for example).
3. Automatic Submission: The browser automatically includes the user's session cookies or other authentication tokens with the request.
4. Unauthorized Actions: The web application receives the request and performs the action, assuming it was made by the authenticated user.

#### Example of a CSRF Attack:

Imagine a user is logged into a banking website. The attacker sends the user an email with a link to a malicious website that contains a hidden form that submits a fund transfer request to the banking site. If the user visits the malicious website while still logged into their bank, the hidden form is submitted automatically, transferring money without the user’s consent.
CSRF Protection in Django

Django includes built-in protection against CSRF attacks by requiring a CSRF token to be included with any POST request that modifies data. This token is a unique, secret value that the server generates and sends to the client. The client must send it back with each subsequent POST request, allowing the server to verify that the request is legitimate.

### Adding the CSRF Token

To include the CSRF token, you need to add the {% csrf_token %} template tag inside your form. This tag generates a hidden input field with a token that Django will check to ensure the request is coming from a trusted source.

Your updated form should look like this:

In [None]:
<form method='POST'>
    {% csrf_token %}
    <label for='username'>Your Name</label>
    <input type="text" placeholder='e.g., Ramin' name="uname" id="username">
    <button>Send</button>
</form>

If you relof the page and check the page source code you will see a new input is added (user cant see it in the webpage), and this input has a value which is the CSRF token created by django.<br>

In [None]:
<input type="hidden" name="csrfmiddlewaretoken" value="eqb822ROPcUY6AWpeHXN0pEfJYt1aOIOdeCdeSy9uM5h82K19VIMHgxTMuTBHUFw">

### In the next notebook you will lern how to utilize the sent data