At first it seems weird that we take a token from the session, put it in the page, and then compare it to the same session token. It feels like we’re just comparing a value to itself. But
Here is the main idea:
When you load a page with a form(GET a form) Django gives your browser a CSRF token stored in a cookie.
That same token is also added to the form as a hidden input.
When you submit the form, Django checks:
A malicious site can make your browser send cookies (like your session).
But it can’t read your CSRF token or put the correct token into the form or header.
So if the form didn’t come from your own site ( i.e the hackers injected a malicious form) the tokens won’t match.
Django checks the match and automatically blocks fake requests.
It’s not about hiding the token — it’s about verifying the request the came from your site.