python - How to use Django's @csrf_exempt decorator to enable an API to do PUT? -

i'm building django application django-rest-framework apis. have built api endpoint shown below.

i want able post data browser. want post operation retrieve object model database has matching primary key given in url. , want modify retrieved object based on data posted browser.

if grab posted data viewset, done. when try execute viewset's update() function, csrf error.

from urls.py file:

router.register(r'replycomment', views.replycomment, base_name="replycomment") 

from views.py file:

class replycomment(viewsets.viewset):     def update(self,request,pk=none):         try:              origcomment = comment.objects.get(pk=pk)             # here modifies state of origcomment , saves it.             return response(                 json.dumps(true),                  status=status.http_200_ok,             )         except exception exception:             logger.error(exception)             return response(status=status.http_400_bad_request) 

i'm using advanced rest client (arc) tool in chrome browser. when point arc tool http://127.0.0.1:3001/api/replycomment/2/ using post method, following error:

{     detail: "csrf failed: csrf token missing or incorrect".  } 

this doc indicates should use @csrf_exempt decorator. put decorator on update() function above. seemed make no difference.

what changes need make ensure post works intend to?

it highly recommended not disable csrf protection session authentication. doing make app vulnerable attacks. api, drf enforces csrf protection session authentication. if use authentication backend(basic, auth token or oauth) work out asking csrf tokens since csrf attacks happen in browsers. if api going used non-browser clients, can enable 1 of other auth backends. example, using basic auth:

'default_authentication_classes': (     'rest_framework.authentication.basicauthentication', ), 

and enable basic auth in arc.