Configuration
These settings should be added to settings.py to control hx-requests behavior.
Messages Configuration
HX_REQUESTS_USE_HX_MESSAGES
Default: False
Set this to True to enable hx-requests messages. If False, messages will not be displayed, even if they are set.
HX_REQUESTS_HX_MESSAGES_TEMPLATE
Default: No Default
Path to the template used for displaying messages.
The context in this template has access to messages, following the same behavior as Django’s
Messages framework.
Modal Configuration
HX_REQUESTS_MODAL_TEMPLATE
Default: None
Path to the template used for modals.
HX_REQUESTS_MODAL_BODY_ID
Default: #hx_modal_body
A CSS selector for the modal body.
Set this only if HX_REQUESTS_MODAL_TEMPLATE is overridden.
Note
See How To Use Modals for details on overriding the default modal template.
Security Configuration
The following settings control which HxRequests can be triggered from which views or apps.
They are designed to protect your project from unintended or cross-app access.
HX_REQUESTS_ENFORCE_SAME_APP
Default: True
When set to True, each HxRequest can only be triggered from views in the same Django app.
This enforces strict app isolation by default.
HX_REQUESTS_ENFORCE_SAME_APP = True
If set to False, HxRequests can be triggered from any app, unless restricted
by more specific allowlists.
Warning
Disabling this setting allows cross-app access for all HxRequests.
Only disable it in highly controlled environments where all apps are trusted
and data exposure is not a risk.
HX_REQUESTS_GLOBAL_ALLOW
Default: []
Defines a global allowlist of apps or specific HxRequests that may be called
from anywhere in the project, even across app boundaries.
Two forms are supported:
List form: Allow all HxRequests from specific apps.
HX_REQUESTS_GLOBAL_ALLOW = ["app1", "app2"]
Dict form: Map app names to specific HxRequest class names.
Use "__all__" to allow all requests from that app.
HX_REQUESTS_GLOBAL_ALLOW = {
"app1": ["safe_hx_request", "safe_hx_2"],
"app2": "__all__"
}
Note
This setting is ideal for internal shared libraries or utility apps that are intentionally designed for cross-app use.
Warning
Avoid whitelisting untrusted or third-party apps.
Doing so allows them to execute their HxRequests anywhere in your project.
HX_REQUESTS_REQUIRE_AUTH
Default: True
When set to True, all HxRequests require an authenticated user by default. Unauthenticated users will be blocked unless the request is explicitly listed in the unauthenticated allowlist below.
HX_REQUESTS_REQUIRE_AUTH = True
HX_REQUESTS_UNAUTHENTICATED_ALLOW
Default: {}
Defines specific HxRequests that may be executed without authentication. This setting uses the same structure as the global allowlist.
List form: allow all HxRequests from the listed apps.
HX_REQUESTS_UNAUTHENTICATED_ALLOW = ["app1"]
Dict form: map app labels to specific HxRequest names, or “__all__” to allow every request in that app.
HX_REQUESTS_UNAUTHENTICATED_ALLOW = {
"app1": "__all__",
"app2": ["hx_request_1", "hx_request_2"]
}
Warning
Only include safe, read-only, or non-sensitive HxRequests here. Requests listed in this allowlist can be executed by unauthenticated users.