Django : How to override the CSRF_FAILURE_TEMPLATE

Asked 14/11, 2014 at 7:45 Answered 31/7, 2019 at 17:9

Solved python django django-templates django-csrf

If csrf checking fails, Django display a page with 403 error.

Error page displayed on csrf error

It seems to me that this error can occur in regular use, for example, when the user disable cookie usage in his browser settings.

Unfortunately, this error message is not very helpful for the end-user and has a "django-error" layout (this is a problem because for example the site navigation is missing).

Django has a great mechanism for overriding templates but it seems that this template is hard-coded in the code. https://github.com/django/django/blob/1.6.8/django/views/csrf.py

Is there a way to override this template in order to provide a more friendly message to users?

Crenel answered 14/11, 2014 at 7:45 Comment(0)

Refer to the Django document, you can set CSRF_FAILURE_VIEW in your settings.py, such as:

CSRF_FAILURE_VIEW = 'your_app_name.views.csrf_failure'

Also, you'll need to define a csrf_failure function in your view (need to have this signature: def csrf_failure(request, reason="") based on the document), which is similar to :

def csrf_failure(request, reason=""):
    ctx = {'message': 'some custom messages'}
    return render_to_response(your_custom_template, ctx)

And you can write your custom template as:

<!DOCTYPE html>
<html>
    <head lang="en">
        <meta charset="UTF-8">
        <title></title>
    </head>
    <body>
        {{ message }}
    </body>
</html>

Konyn answered 14/11, 2014 at 8:7 Comment(5)

Thanks. It is exactly what I need. Just note that the "reason" is a developper message and should not be shown to the end user. So, in my case, I will not display it i my template. – Crenel 14/11, 2014 at 8:38

How would you test this? – Warmup 29/6, 2016 at 15:53

@guival : Go to a page with a form, open developer tools (ctrl+maj+i on Chrome), find the csrf input field, edit its value, send the form ! – Intercession 16/3, 2017 at 16:9

@Intercession great hack, thanks! What I ended doing is setting a url to render that template in debug, that just allowed me to see the csrf failure template though, not make sure it was working as intentioned. – Warmup 16/3, 2017 at 18:16

@guival Open your application login page in two tabs. Login to the app in one tab and then try to login on the other tab. You should see the CSRF error. – Anabolite 16/6, 2020 at 14:11

As of Django 1.10, you can simply add and customize the 403_csrf.html template: https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-CSRF_FAILURE_VIEW

Leach answered 11/8, 2018 at 1:43 Comment(0)

Add 403_csrf.html template to the project template directory.

As you can see in the source code django/views/csrf.py: if you have this template, it will be applied. Nothing needs to be configured.

Template content that you need to customize for your needs:

<div id="summary">
  <h1>{{ title }} <span>(403)</span></h1>
  <p>{{ main }}</p>
{% if no_referer %}
  <p>{{ no_referer1 }}</p>
  <p>{{ no_referer2 }}</p>
  <p>{{ no_referer3 }}</p>
{% endif %}
{% if no_cookie %}
  <p>{{ no_cookie1 }}</p>
  <p>{{ no_cookie2 }}</p>
{% endif %}
</div>

Cale answered 31/7, 2019 at 17:9 Comment(0)

Recommended topics

Hot tags