I have a website running, which appears to be working fine. Yet, now I've seen this error in the logs for the fist time.
Forbidden (Referer checking failed - no Referer.): /pointlocations/
[pid: 4143|app: 0|req: 148/295] 104.176.70.209 () {48 vars in 1043 bytes} [Wed Jul 26 19:49:35 2017] POST /pointlocations/?participant=A2TYLR23CHRULH&assignmentId=3P4MQ7TPPYF65ANAUBF8A3B38A0BB6 => generated 2737 bytes in 2 msecs (HTTP/1.1 403) 1 headers in 51 bytes (1 switches on core 0)
It happens when posting to /pointlocations/, but only for one specific person ( each participant is unique per account, so I know it's only one person, having this problem repeatedly. Over 500+ other participant have had no such problem/error. 
What does this error mean, what is likely causing it and can I fix this?
TLDR: Try to use the csrf_exempt decorator for your view:
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_webhook(request):
    # Do some stuffs...
    # Return an HHTPResponse as Django expects a response from the view
    return HttpResponse(status=200)
You should only do this when absolutely needed to avoid potential security flaws.
More context:
I faced a similar problem while working on a web-hook called by a third-party which is a payment solution. The Django view for that web-hook is called by the third-party to notify us every time the payment status changes (goes from 'open' to 'paid' for example).
As the payment platform only provides a payment ID in the request POST, the CSRF check should not be performed. Django allows you to do this through the csrf_exempt decorator.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With