A: 

According to the same origin policy of most browser side scripting languages; HTTP Header's are off limits. Flash has the most insecure rules and only a few headers are off limits (most notably the Referer as it directly relates to CSRF), but flash allows you to declare custom header names so I would avoid relying on headers for secuirty. Due to flash's insecure nature some CSRF exploits can only be written in flash, most notably "cross site file upload". There are applications that only check to make sure that the Referer and the domain/ip are the same. Motorola does this for some of their products and this is secure, but not a "hardened" approach.

For most APIs the referer doesn't apply. A web browser isn't accessing the API, so an attacker can't force the browser into making a request on his behalf. The rules can change if this is a JavaScript API. But in general you shouldn't have to worry about CSRF unless a browser has an authenticated connection to the API. Also, make sure that your API calls require authentication, sometimes CSRF can be a problem even if guests can access the resource, but this may not apply in this situation.

Rook  2010-03-08 22:56:29
To answer a couple of your comments -- This is not an javascript/XHR API and yes it does implement it's own authentication. As you point out CSRF doesn't apply since the API isn't being used by a browser in the first place. I'm mainly interested in a way to disable CSRF checking for just the API and to leave it intact for the remainder of the site.
T. Stone  2010-03-08 23:07:10
Ah, sorry I don't know django. I like the python web services, especially the soap client/server.
Rook  2010-03-08 23:08:57
If you can't find an answer to the django problem it shouldn't be difficult to port your api to python web services.
Rook  2010-03-08 23:46:02
+3  A: 

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt? http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/#ref-contrib-csrf

Brian Luft  2010-03-09 00:20:14
That is exactly the setup but `csrf_exempt` doesn't seem to make a difference. It still gives a 403 with that decorator. +1 because according to the doc this should be working, even though it's not.
T. Stone  2010-03-09 00:41:39
A: 

Since Django 1.1, the CSRF code will automatically allow AJAX requests to pass through, since browsers seem to do proper security checks. Here is the original commit and the documentation.

Alex Morega  2010-09-06 15:06:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security