'CSRF validation does not work on Django using HTTPS

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:

ALLOWED_HOSTS = []

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True


CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

CORS_REPLACE_HTTPS_REFERER = True

CSRF_COOKIE_DOMAIN = 'bluemix.net'

CORS_ORIGIN_WHITELIST = (
    'https://front.bluemix.net/',
    'front.bluemix.net',
    'bluemix.net',
)

Anyone knows how to solve this problem?

pythondjangodjango-rest-frameworkibm-clouddjango-csrf


Solution 1:[1]

Your CSRF_TRUSTED_ORIGINS setting is wrong - change it to:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

The setting requires a hostname only, not a scheme. A scheme is redundant anyway because the setting only has any effect when connecting over HTTPS.

You probably also need to put something in ALLOWED_HOSTS...

Edit: As of Django 4.0 scheme is now required.

Solution 2:[2]

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM - it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Solution 3:[3]

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net'] to CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

Solution 4:[4]

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

  1. install cors-header by: doing pip install django-cors-headers

  2. Add corsheaders to you installed apps

    INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'MyApp',
'crispy_forms',
'corsheaders',
]

  3. Add the corsheader Middleware to your middleware

    MIDDLEWARE = [
'**corsheaders.middleware.CorsMiddleware**',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]

4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Solution 5:[5]

Apr, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code below to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got the similar error to above:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Tom Wojcik
Solution 2
Solution 3 stenius
Solution 4 Oreximena
Solution 5 Kai - Kazuya Ito

Related Questions

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

pip issue installing almost any library

pip issue installing almost any library

pip issue installing almost any library

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

A simple SMTP server (in Python)

How to specify which pytorch to import, if I have two different versions installed?

How to specify which pytorch to import, if I have two different versions installed?

A simple SMTP server (in Python)

Python: get all months in range?

Python: get all months in range?

Python: get all months in range?

How to specify which pytorch to import, if I have two different versions installed?