Added explicit notes about the need to update any customised templates for...

views (just as you had before). It is strongly recommended to install

``CsrfViewMiddleware`` and ``CsrfResponseMiddleware``, as described above.

(Note that contrib apps, such as the admin, have been updated to use the

Note that contrib apps, such as the admin, have been updated to use the

``csrf_protect`` decorator, so that they are secured even if you do not add the

``CsrfViewMiddleware`` to your settings).

``CsrfViewMiddleware`` to your settings.  However, if you have suuplied

customised templates to any of the view functions of contrib apps (whether

explicitly via a keyword argument, or by overriding built-in templates), **you

MUST update them** to include the ``csrf_token`` template tag as described

above, or they will stop working.

Assuming you have followed the above, all views in your Django site will now be

protected by the ``CsrfViewMiddleware``.  Contrib apps meet the requirements

   will be removed completely in Django 1.4, in favour of a template tag that

   should be inserted into forms.

 * All contrib apps use a ``csrf_protect`` decorator to protect the view.  This

   requires the use of the csrf_token template tag in the template, so if you

   have used custom templates for contrib views, you MUST READ THE UPGRADE

   INSTRUCTIONS to fix those templates.

 * ``CsrfViewMiddleware`` is included in :setting:`MIDDLEWARE_CLASSES` by

   default. This turns on CSRF protection by default, so that views that accept

   POST requests need to be written to work with the middleware.  Instructions