# CSRF

**Cross-Site Request Forgery (CSRF) protection.**

Plain protects against [CSRF attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery) through a [middleware](https://plainframework.com/docs/plain/plain/csrf/middleware.py?llm) that compares the generated `csrftoken` cookie with the CSRF token from the request (either `_csrftoken` in form data or the `CSRF-Token` header).

## Usage

The `CsrfViewMiddleware` is [automatically installed](https://plainframework.com/docs/plain/plain/internal/handlers/base.py?llm#BUILTIN_BEFORE_MIDDLEWARE), so you don't need to add it to your `settings.MIDDLEWARE`.

When you use HTML forms, you should include the CSRF token in the form data via a hidden input:

```html
<form method="post">
    {{ csrf_input }}
    <!-- other form fields here -->
</form>
```