[udioron]

Another fix is to disable CSRF checks for all API calls which should not be served by a browser (assuming they use a different auth mechanism which does not involve cookies!). This makes sense since CSRF is a layer that relates to attacks involving browsers/cookie authentication.

[yeukhon]

I always believe /login served by a browser and /login for api should never be the same, to echo your statement they require different handler. It should be two completely different view; but those views call the same login function internally. Perhaps /login is a bad example, but use that in views where authentication and authorization are needed.

[captn3m0]

This is the right solution. CSRF checks make no sense for an API that is accessed by a non-browser clients.