Login/Register
Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins
Asked Answered
pythonpython-3.xdjangocsrfdjango-csrf
E

5

88

Help

Reason given for failure:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

Espionage answered 9/12, 2021 at 7:1 Comment(0)
N
194

If you are doing a cross-origin request, you may be seeing this error. For example, if you are submitting a form to api.example.com from a web page on site.example.com, this is a cross-origin request and it may cause this error. (If you are not doing a cross-origin request, but you are doing a normal request through HTTPS, then see the other answers.)

Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.

If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.

CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']

Review this line for any changes needed, for example if you need to swap out https for http.

Root cause is the addition of origin header checking in 4.0.

https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Changed in Django 4.0:

Origin header checking isn’t performed in older versions.

Noiseless answered 12/12, 2021 at 18:19 Comment(5)
sir, i am trying to make request to django from localhost:300 (reactjs) and I have added CSRF_TRUSTED_ORIGINS = ['localhost:3000/'] , but it's still saying that Forbidden (Origin checking failed - localhost:3000 does not match any trusted origins.): /api/login/ , can you please help me with thisProfess
If I am already using the ALLOWED_HOSTS setting to get values set from environment variables, is there any reason to not just set CSRF_TRUSTED_ORIGINS to the same thing? IE os.getenv('ALLOWED_HOSTS').split(',')?Dar
This may work for some, but is not the only possible solution. See Chris's answer below. (SECURE_PROXY_SSL_HEADER)Torso
This should only be done if you're actually doing a cross-origin request (i.e. submitting a form to api.example.com from a page on site.example.com). If you're not attempting to do this (rare) action, then it's likely the SECURE_PROXY_SSL_HEADER setting as described in another answer.Skepticism
I can see the bug is not coming, Thank you so much broChaworth
T
62

Origin and host are the same domain

If, like me, you are getting this error when the origin and the host are the same domain.

It could be because:

  1. You are serving your django app over HTTPS,
  2. Your django app is behind a proxy e.g. Nginx,
  3. You have forgotten to set SECURE_PROXY_SSL_HEADER in your settings.py e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') and/or
  4. You have forgotten to set the header in your server configuration e.g. proxy_set_header X-Forwarded-Proto https; for Nginx.

In this case:

  • The origin header from the client's browser will be https://www.example.com due to 1.
  • request.is_secure() is returning False due to 2, 3 and 4.
  • Meaning _origin_verified() returns False because of line 285 of django.middleware.csrf (comparison of https://www.example.com to http://www.example.com):
    def _origin_verified(self, request):
        request_origin = request.META["HTTP_ORIGIN"]
        try:
            good_host = request.get_host()
        except DisallowedHost:
            pass
        else:
            good_origin = "%s://%s" % (
                "https" if request.is_secure() else "http",
                good_host,
            )
            if request_origin == good_origin:
                return True

Make sure you read the warning in https://docs.djangoproject.com/en/stable/ref/settings/#secure-proxy-ssl-header before changing this setting though!

Telly answered 15/3, 2022 at 13:13 Comment(7)
Actually, this answer is correct way to fix this error. It fixes two issues one is this CSRF check and other is request.is_secure() value, which it should return True in this case. By updating CSRF_TRUSTED_ORIGINS, you would fix it, but i would consider it as hack, it solves only this problem.Kheda
This is the correct answer for most cases. And even if you’re not running the web host, deployment platforms like fly.io do, and they send your app these headers.Rowlett
but what if we want to make a login form work on HTTP?Industry
It worked for me after this setup in NGINX: add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';Voronezh
I spent a week trying to figure out the issue. This answer solved it. I can remove @csrf_exempt now!Sher
This is correct answer. But I suggest to replacing set_proxy_header X-Forwarded-Proto https; with set_proxy_header X-Forwarded-Proto $scheme;. It is more general solution - 1 nginx server section can serve both http and https trafficsPasho
It would be call if the debug help text displayed for this error would mention this as a possible issue. The code is here: github.com/django/django/blob/main/django/views/csrf.pyVesper
E
55

Mar, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got this error:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']
Estray answered 20/2, 2022 at 12:12 Comment(1)
This should only be done if you're actually doing a cross-origin request (i.e. submitting a form to api.example.com from a page on site.example.com). If you're not attempting to do this (rare) action, then it's likely the SECURE_PROXY_SSL_HEADER setting as described in another answer.Skepticism
L
1

You can also have this error because you are using a container on Proxmox.
If your https domain name is routed by Proxmox via an internal http connection you will have this error.

DOMAIN NAME (https) => Proxmox => (http) => Container with Django : CSRF ERROR

I had this error, and change the routing via Proxmox to my container via an https internal connection (I had to create and sign a certificate on my CT).

DOMAIN NAME (hhtps) => Proxmox => (https) => Container with Django

Since the CSRF error on Django disappeared.

Longwood answered 1/9, 2022 at 8:31 Comment(0)
V
1

If you are using CloudFlare as a proxy between your server and the user, and you are using HTTPS, then you may be experiencing this issue.

In one of your templates, add this code to debug this issue:

is_secure: {{ request.is_secure }}

Load your website over HTTPS. You should see is_secure: True. If you see is_secure: False, then there is an issue that can cause this problem.

Since CloudFlare sets the X-Forwarded-Proto header and we trust all requests are coming through CloudFlare, set this:

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

(If you can't trust that all requests are coming through CloudFlare, then this is dangerous to set, see the documentation.)

Open your CloudFlare settings in your web browser, and navigate to SSL/TLS. Make sure your encryption mode is not "Flexible" but is "Full" or "Full (strict)". That way, the connection between your server and CloudFlare is over HTTPS. Your server will need to support HTTPS for this to work.

Now, when you load a page over HTTPS, you should see: is_secure: True, and this CSRF issue should resolve itself.

Vesper answered 15/12, 2023 at 8:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.