Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

Question

Help

Reason given for failure:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

Answer 1

Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.

If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.

CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']

Review this line for any changes needed, for example if you need to swap out https for http.

Root cause is the addition of origin header checking in 4.0.

https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Changed in Django 4.0:

Origin header checking isn’t performed in older versions.

Answer 2

Mar, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got this error:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']

Answer 3

Origin and host are the same domain

If, like me, you are getting this error when the origin and the host are the same domain.

It could be because:

1. You are serving your django app over HTTPS,
2. Your django app is behind a proxy e.g. Nginx,
3. You have forgotten to set SECURE_PROXY_SSL_HEADER in your settings.py e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') and/or
4. You have forgotten to set the header in your server configuration e.g. proxy_set_header X-Forwarded-Proto https; for Nginx.

In this case:

• The origin header from the client's browser will be https://www.example.com due to 1.
• request.is_secure() is returning False due to 2, 3 and 4.
• Meaning _origin_verified() returns False because of line 285 of django.middleware.csrf (comparison of https://www.example.com to http://www.example.com):

    def _origin_verified(self, request):
        request_origin = request.META["HTTP_ORIGIN"]
        try:
            good_host = request.get_host()
        except DisallowedHost:
            pass
        else:
            good_origin = "%s://%s" % (
                "https" if request.is_secure() else "http",
                good_host,
            )
            if request_origin == good_origin:
                return True

Make sure you read the warning in https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header before changing this setting though!