CSRF validation does not work on Django using HTTPS

Question

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:

ALLOWED_HOSTS = []

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True


CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

CORS_REPLACE_HTTPS_REFERER = True

CSRF_COOKIE_DOMAIN = 'bluemix.net'

CORS_ORIGIN_WHITELIST = (
    'https://front.bluemix.net/',
    'front.bluemix.net',
    'bluemix.net',
)

Anyone knows how to solve this problem?

Answer 1

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM - it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Answer 2

Django 4.0 and above

For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Django 3.2 and lower

For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

You probably also need to put something in ALLOWED_HOSTS...

Answer 3

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net'] to CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

Answer 4

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

1. install cors-header by: doing pip install django-cors-headers

2. Add corsheaders to you installed apps

   INSTALLED_APPS = [
   'django.contrib.admin',
   'django.contrib.auth',
   'django.contrib.contenttypes',
   'django.contrib.sessions',
   'django.contrib.messages',
   'django.contrib.staticfiles',
   'MyApp',
   'crispy_forms',
   'corsheaders',
   ]
   

3. Add the corsheader Middleware to your middleware

   MIDDLEWARE = [
   '**corsheaders.middleware.CorsMiddleware**',
   'django.middleware.security.SecurityMiddleware',
   'django.contrib.sessions.middleware.SessionMiddleware',
   'django.middleware.common.CommonMiddleware',
   'django.middleware.csrf.CsrfViewMiddleware',
   'django.contrib.auth.middleware.AuthenticationMiddleware',
   'django.contrib.messages.middleware.MessageMiddleware',
   'django.middleware.clickjacking.XFrameOptionsMiddleware',
    ]
   

4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']