What does error mean? : "Forbidden (Referer checking failed - no Referer.):"

Question

I have a website running, which appears to be working fine. Yet, now I've seen this error in the logs for the fist time.

Forbidden (Referer checking failed - no Referer.): /pointlocations/
[pid: 4143|app: 0|req: 148/295] 104.176.70.209 () {48 vars in 1043 bytes} [Wed Jul 26 19:49:35 2017] POST /pointlocations/?participant=A2TYLR23CHRULH&assignmentId=3P4MQ7TPPYF65ANAUBF8A3B38A0BB6 => generated 2737 bytes in 2 msecs (HTTP/1.1 403) 1 headers in 51 bytes (1 switches on core 0)

It happens when posting to /pointlocations/, but only for one specific person ( each participant is unique per account, so I know it's only one person, having this problem repeatedly. Over 500+ other participant have had no such problem/error.

What does this error mean, what is likely causing it and can I fix this?

Answer 1

TLDR: Try to use the csrf_exempt decorator for your view:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_webhook(request):
    # Do some stuffs...

    # Return an HHTPResponse as Django expects a response from the view
    return HttpResponse(status=200)

You should only do this when absolutely needed to avoid potential security flaws.

More context:

I faced a similar problem while working on a web-hook called by a third-party which is a payment solution. The Django view for that web-hook is called by the third-party to notify us every time the payment status changes (goes from 'open' to 'paid' for example).

As the payment platform only provides a payment ID in the request POST, the CSRF check should not be performed. Django allows you to do this through the csrf_exempt decorator.