CSRF validation does not work on Django using HTTPS

Asked 9/8, 2016 at 2:26 Answered 13/9, 2023 at 20:29

Solved python django django-rest-framework ibm-cloud django-csrf

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:

ALLOWED_HOSTS = []

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True


CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

CORS_REPLACE_HTTPS_REFERER = True

CSRF_COOKIE_DOMAIN = 'bluemix.net'

CORS_ORIGIN_WHITELIST = (
    'https://front.bluemix.net/',
    'front.bluemix.net',
    'bluemix.net',
)

Anyone knows how to solve this problem?

Lovesick answered 9/8, 2016 at 2:26 Comment(4)

Did you follow all the steps in github.com/ottoyiu/django-cors-headers ? – Aggregate 9/8, 2016 at 3:2

Yes I did! The error is the same... – Lovesick 9/8, 2016 at 3:8

Maybe your version of django is not supported. Try this fork github.com/zestedesavoir/django-cors-middleware – Aggregate 9/8, 2016 at 3:19

Does this answer your question? Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins – Eidetic 24/1, 2023 at 20:0

172

Django 4.0 and above

For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Django 3.2 and lower

For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

You probably also need to put something in ALLOWED_HOSTS...

Shannan answered 9/8, 2016 at 4:23 Comment(10)

Thanks, the issue was with the CSRF_TRUSTED_ORIGINS. Now it works like a charm :) – Lovesick 9/8, 2016 at 19:10

Thank you my friend. I had the same issue and it's solved now!! – Dorsy 11/9, 2019 at 19:38

Public utility: you may want to specify the web server port, so use CSRF_TRUSTED_ORIGINS = ['localhost:8080'] – Mcdougall 21/7, 2020 at 20:7

Thank you!!!!! These CORS issues are driving me insane – Syneresis 24/6, 2021 at 11:44

Note that in Django 4.0 it changed. Now scheme is required. docs.djangoproject.com/en/4.0/releases/4.0/… – Kleeman 10/12, 2021 at 22:23

How about i want to allow csrf to the whole hosts not only to one in my LAN network? – Ryannryazan 6/1, 2022 at 13:24

So what. The trailing / was the problem? this answer is not clear. – Rattlesnake 8/6, 2022 at 15:18

@Rattlesnake yes, the trailing slash will cause a CSRF failure. – Locale 29/6, 2022 at 23:26

it still doesn't work for me – Stefa 17/7, 2022 at 13:20

You saved my life today! – Wendellwendi 31/10, 2023 at 2:34

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net'] to CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

Martinet answered 22/9, 2021 at 2:19 Comment(0)

I was also facing this issue. Ensure that the domain name does not contain the trailing slash. Instead of

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

Change it to

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Overspill answered 9/11, 2022 at 8:18 Comment(2)

Thanks so much. This stupidity ate us many hours. – Stirring 24/4, 2023 at 10:4

this advice is pure gold – Tankage 5/8, 2023 at 9:30

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM - it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Kerbing answered 15/5, 2018 at 11:2 Comment(0)

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

install cors-header by: doing pip install django-cors-headers

Add corsheaders to you installed apps

INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'MyApp',
'crispy_forms',
'corsheaders',
]

Add the corsheader Middleware to your middleware

MIDDLEWARE = [
'**corsheaders.middleware.CorsMiddleware**',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]

4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

K2 answered 31/12, 2021 at 9:38 Comment(0)

Apr, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code below to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got the similar error to above:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Akeyla answered 27/4, 2022 at 20:56 Comment(0)

If you are using for example Flexible TLS/SSL Setting in Cloudflare, put following in your Django settings.py:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Ganja answered 13/9, 2023 at 20:29 Comment(0)

This issue can also occur if you have Cloudflare's SSL/TLS encryption mode set to Flexible. Instead of the site actually being served through Https, Cloudflare was modifying the http site and setting SSL on its end. This led to a failure of CSRF mechanism, and I kept seeing this error, whatever my CSRF settings were. Toggling off the setting immediately fixed the error.

Mendie answered 23/5, 2023 at 19:7 Comment(1)

Thanks for this tip - it fixed a CSRF breakage for me! – Rycca 16/1 at 10:12

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Django 4.0 and above

Django 3.2 and lower

Apr, 2022 Update:

Recommended topics

Hot tags