No sure whether it's a bug. I added a {% csrf_token %} after tag at line 26. Then this issue solved. google
