Django REST Framework CSRF Failed: CSRF cookie not set

Question

I am using the django rest framework to perform API calls via IOS and I get the following error "CSRF Failed: CSRF cookie not set."

Here's my django API code:

class LoginView(APIView):
    """
    List all snippets, or create a new snippet.
    """
    @csrf_exempt
    def get(self, request, format=None):
        startups = Startup.objects.all()
        serializer = StartupSerializer(startups, many=True)
        return Response(serializer.data)

    @csrf_exempt
    def post(self, request, format=None):
        profile = request.POST
....

What can I do?

Possible duplicate of [Django Rest Framework remove csrf](http://stackoverflow.com/questions/30871033/django-rest-framework-remove-csrf) — user3467349, May 26 '16 at 06:52

Rahul Gupta-Iwasaki · Answer 1 · 2015-02-11T07:17:49.533

If anyone is still following this question, the direct answer is that you need to use the decorator on the view method itself. The get and post methods defined on the APIView class just tell DRF how the actual view should behave, but the view method that the django router expects is not actually instantiated until you call LoginView.as_view().

Thus, the solution is to add the csrf_exempt decorator to urls.py. It might look as follows:

#file: urls.py

from django.conf.urls import patterns, url
from django.views.decorators.csrf import csrf_exempt

import views

urlpatterns = patterns('',
    url('^login/$', csrf_exempt(views.LoginView.as_view())),
    ...
)

However, as Mark points out above, csrf protection is important to prevent your sessions from being hijacked. I haven't worked with iOS myself, but I would look into using django's cookie-based csrf tokens. You can use the ensure_csrf_cookie decorator to make django send a csrftoken cookie with a response, and your POST requests will validate as long as you include that token as an X-CSRFToken header.

And how do you do that if your'e using a router? – Gal Bracha Jun 24 '18 at 20:56 — Gal Bracha, Jun 24 '18 at 20:56

М.Б. · Answer 2 · 2019-03-02T17:27:06.383

14

I've had the same issue. My problem was that I forgot to put .as_view() in urls.py on MyAPIView. So it have to be like:

url(r'$', GetLikesAPI.as_view(), name='list')

not:

url(r'$', GetLikesAPI, name='list')

edited Mar 02 '19 at 17:27

answered Oct 14 '17 at 12:22

М.Б.

1,308
17
20

1

this is unlikely to be the case, since if you miss `as_view()`, it is likely the route will be inaccessible in total. – Exis Zhang Nov 10 '19 at 11:01
1

This was my case – Bigair Jun 28 '20 at 02:25

score 8 · Answer 3 · edited Dec 01 '17 at 07:14

The problem you encounter here is that django for processing your view is using whatever as_view() method will return, not directly method get() or post().

Therefore you should decorate your class-based view in one of following ways:

In urls.py

    urlpatterns = patterns('',
        url('^login/$', csrf_exempt(views.LoginView.as_view())),
        ...
    )

or on dispatch() method (pre django 1.9)

    from django.utils.decorators import method_decorator

    class LoginView(APIView):
       @method_decorator(csrf_exempt)
       def dispatch(self, *args, **kwargs):
           ...

or on class view itself (from django 1.9)

    from django.utils.decorators import method_decorator


    @method_decorator(csrf_exempt, name='dispatch')
    class LoginView(APIView):
           ...

score 4 · Answer 4 · edited Aug 04 '18 at 09:00

For GETs, you shouldn't be modifying data, so a CSRF isn't required.

If you are modifying data with a POST, then you SHOULD have a CSRF if you are using session based authentication. Otherwise, you're opening up a security hole. Even though you think your Django server is going to be servicing iPhone apps, there's nothing to stop someone with your app from sniffing the packets on the traffic to your server, and then reverse engineering access to the server with other kinds of web clients. For this reason, Django Rest Framework requires a CSRF in some cases. This is mentioned in the Django rest framework documentation.

The path around this requirement for POSTs is to not use session authentication. For example, you could use BasicAuthentication over HTTPS. With this authentication mechanism, you should use HTTPS to prevent credentials from being passed in the clear with every request.

> our app from sniffing the packets on the traffic - https, so no that's not the reason. — user3467349, May 26 '16 at 06:46
If you're okay with the risk of disabling CSRF because you don't feel that your packets are insecure AND there's no browser involved, you should try the solution from @Rahul Gupta-Iwasaki — Mark Chackerian, May 26 '16 at 14:00

score 3 · Answer 5 · answered Aug 17 '15 at 15:51

This is an old question but something we ran into recently.

DRF disables CSRF by default, unless using session authentication. By default NSURLconnection is set up to handle cookies. You need to explicitly tell the iOS app to not use cookies. Then you can keep using session auth if needed and not have to csrf exempt your views.

score 3 · Answer 6 · answered Apr 24 '18 at 20:46

urlpatterns = patterns('',
       url('^login/$', csrf_exempt(views.LoginView.as_view())),
       ...
)

Guys. I had the same error and spent a lot of time just for finding that: 1) I had another router with 'login' and there i missed '$'. I mean sometimes you can forget something in routing and get this error.

score 2 · Answer 7 · answered Jan 02 '18 at 14:59

2

In my case it happend because I sent put request to url='http://example.com/list/5' without slash at the end. When I changed url to url='http://example.com/list/5/' all started to work.

answered Jan 02 '18 at 14:59

Radren

307
4
6

Django REST Framework CSRF Failed: CSRF cookie not set

7 Answers7

Linked