CSRF protection needs to be disabled so that requests made using OAuth and other non-session-based authentication mechanisms can be properly processed. If session authentication is used, DRF will enforce CSRF protection.

XCOM-524