Please document using csrf_exempt for read-only POST APIs

[camd]

I have a ReactJS application that is hosted on a separate domain from my Django app. But the library (Apollo) currently only makes requests with POST. Since I have no mutations in my Graphene implementations, it's pretty safe for me to use csrf_exempt for my GraphQL view.

Would you be able to add that to your documentation somewhere so that people know this is an option. Would you also be able to confirm that I'm correct in my deduction? :) If it's still possible to write to GraphQL without mutations, I'll need to look for a different solution.

Thanks!!

[khankuan]

Related question: Is it possible to tie csrf only to Mutations?

[johandc]

👍
I had to install django-cors-headers to make the apollo client work.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[edmorley]

Not stale

[phalt]

Simply wrapping the view in a csrf_exempt is enough but yes, we should add this to the docs:

from django.views.decorators.csrf import csrf_exempt

url(r'^graphql', csrf_exempt(GraphQLView.as_view(schema=schema)), name='graphql',),

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[edmorley]

Not stale

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.