Cross-site request forgery：

Cross-site request forgery, also known as a one-click attack or session riding and
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby  
unauthorized commands are transmitted from a user that the website trusts.Unlike cross-
site scripting (XSS), which exploits the trust a user has for a particular site, CSRF 
exploits the trust that a site has in a user's browser.

使用秘密cookie

只接受POST请求

Applications can be developed to only accept POST requests for the execution of business 
logic. The misconception is that since the attacker cannot construct a malicious link,
a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are
numerous methods in which an attacker can trick a victim into submitting a forged POST
request, such as a simple form hosted in attacker's website with hidden values. This 
form can be triggered automatically by JavaScript or can be triggered by the victim who
thinks form will do something else.

Reference link

Django每次请求服务器时都会设置csrftoken cookie，当您将数据从客户端发布到服务器时，此令牌与该令牌匹配，如果不匹配，则抛出错误，这是恶意请求。在

如果可以使用csrf_exempt decorator来禁用特定视图的csrf保护。在

from django.views.decorators.csrf import csrf_exempt

然后在你的视图前面写@csrf_exempt

CSRF代表：跨站点请求伪造

当涉及到Web应用程序时，这是一种非常常见的攻击。因此，不仅Django，而且包括rubyonrails在内的大多数其他框架都提供了防止这种攻击的支持。在

在Django中，通过发送“csrfmiddlewaretoken”作为POST数据来完成。然后Django将此令牌的值与合法令牌的值进行匹配。如果它与通过的请求匹配，则会引发错误。在

{%csrf_token%}模板标记生成具有合法csrf令牌值的隐藏输入字段。在

所有处理和异常引发都在CsrfViewMiddleware中完成。 你可以在Django文档中找到更多关于这个的信息（很好的解释）：https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/