Setting HTTP_REFERER header in Django test

Asked 3/8, 2012 at 19:15 Answered 3/2, 2018 at 22:27

Solved django http-referer django-testing

I'm working on a Django web application which (amongst other things) needs to handle transaction status info sent using a POST request.

In addition to the HTTP security supported by the payment gateway, my view checks request.META['HTTP_REFERER'] against an entry in settings.py to try to prevent funny business:

if request.META.get('HTTP_REFERER', '') != settings.PAYMENT_URL and not settings.DEBUG:
    return HttpResponseForbidden('Incorrect source URL for updating payment status')

Now I'd like to work out how to test this behaviour.

I can generate a failure easily enough; HTTP_REFERER is (predictably) None with a normal page load:

def test_transaction_status_succeeds(self):
    response = self.client.post(reverse('transaction_status'), { ... })
    self.assertEqual(response.status_code, 403)

How, though, can I fake a successful submission? I've tried setting HTTP_REFERER in extra, e.g. self.client.post(..., extra={'HTTP_REFERER': 'http://foo/bar'}), but this isn't working; the view is apparently still seeing a blank header.

Does the test client even support custom headers? Is there a work-around if not? I'm using Django 1.1, and would prefer not to upgrade just yet if at all possible.

Zebedee answered 3/8, 2012 at 19:15 Comment(1)

This was not your problem, but for others who are having the difficulty I had: Django was not recognizing the headers I was sending because I didn't properly transform their names as documented here, as described the CGI specification. For example, X-CSRFToken would be HTTP_X_CSRFTOKEN. After transforming them I could simply use them as kwargs, as in supervacuo's answer below. – Pagas 31/3, 2014 at 19:58

Almost right. It's actually:

def transaction_status_suceeds(self):
    response = self.client.post(reverse('transaction_status'), {}, HTTP_REFERER='http://foo/bar')

I'd missed a ** (scatter operator / keyword argument unpacking operator / whatever) when reading the source of test/client.py; extra ends up being a dictionary of extra keyword arguments to the function itself.

Zebedee answered 5/8, 2012 at 19:31 Comment(2)

I got a "__init__() got an unexpected keyword argument 'HTTP_REFERER'" when trying to use this. Maybe it changed in newer versions of django? – Butylene 14/4, 2015 at 21:21

@StevenRogers, it sounds like you might have done c = Client(HTTP_REFERER='http://foo/bar') instead (the only thing I can think of that will call __init__). I was suggesting adding that as a kwarg to post() & get(); I just tested this on Django 1.7.3 and it seems to work fine… – Zebedee 16/4, 2015 at 9:48

You can pass HTTP headers to the constructor of Client:

from django.test import Client
from django.urls import reverse

client = Client(
    HTTP_USER_AGENT='Mozilla/5.0',
    HTTP_REFERER='http://www.google.com',
)
response1 = client.get(reverse('foo'))
response2 = client.get(reverse('bar'))

This way you don't need to pass headers every time you make a request.

Aeolic answered 3/2, 2018 at 22:27 Comment(2)

It is worth a mention that the HTTP_HEADER will get updated after a redirect that results from client.get or client.post. This wasn't obvious to me at first. – Rattlebrained 31/7, 2019 at 9:42

hello Max Malysh, where exactly should I place your HTTP headers? On .htaccess file , or in the php code ? – Diamine 26/1, 2021 at 8:14

Recommended topics

Hot tags