Replaced the previous method of getting it from HTTP_POST to use django's mechanism, which may or may not use HTTP_HOST. However if an attacker changes the request header, there is not much he can do since he cannot recreate the association nonce.
