Contact form on a users personal site that posts to my Django DB?

Question

I am wondering if it is possible to provide users of my django website a copyable HTML form element to put on their own personal website that actually POSTs to my Django database?

The idea is to allow a User of my Django app to copy and paste an HTML Contact form into their own personal website with fields such as name, phone, email, notes which will all be fields of a model in my Django app.

Basically when visitors of their website fill out the contact form I would like to post it to my Postgres DB in a model such as..

class Lead(models.Model):
    user = This would be the user on my Django app
    name...
    phone...
    email...
    notes...

Is something that is possible or even safe to do? It would really be a big part of my project to allow for this lead collection.

Answer 1

There's nothing to stop one POSTing to a completely unrelated server:

<form method="POST" action="http://somewhere/something/" ...>

However, authentication is the problem. How do you know the client posting the data represents the person who it claims to represent?

Django's CSRF token is a means of verifying that whatever arrives as POST was in response to a form sent to a particular client by the Django server. If the form is not generated by the Django server, then you can't check.

You can turn off CSRF token checking, but you have to be prepared both for submission of single malicious POSTs and attempts at service denial by flooding you with multiple ones. It's a very similar problem to e-mail spam.