61

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:

ALLOWED_HOSTS = []

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True


CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

CORS_REPLACE_HTTPS_REFERER = True

CSRF_COOKIE_DOMAIN = 'bluemix.net'

CORS_ORIGIN_WHITELIST = (
    'https://front.bluemix.net/',
    'front.bluemix.net',
    'bluemix.net',
)

Anyone knows how to solve this problem?

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
ccr
  • 713
  • 1
  • 5
  • 8
  • Did you follow all the steps in https://github.com/ottoyiu/django-cors-headers/ ? – wilcus Aug 09 '16 at 03:02
  • Yes I did! The error is the same... – ccr Aug 09 '16 at 03:08
  • Maybe your version of django is not supported. Try this fork https://github.com/zestedesavoir/django-cors-middleware – wilcus Aug 09 '16 at 03:19
  • Does this answer your question? [Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins](https://stackoverflow.com/questions/70285834/forbidden-403-csrf-verification-failed-request-aborted-reason-given-for-fail) – dfrankow Jan 24 '23 at 20:00

7 Answers7

139

Django 4.0 and above

For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Django 3.2 and lower

For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

You probably also need to put something in ALLOWED_HOSTS...

solarissmoke
  • 30,039
  • 14
  • 71
  • 73
14

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net'] to CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

stenius
  • 179
  • 1
  • 4
10

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM - it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Tysoncete
  • 199
  • 3
  • 6
9

I was also facing this issue. Ensure that the domain name does not contain the trailing slash. Instead of

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

Change it to

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Enock Simiyu
  • 141
  • 2
  • 3
5

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

  1. install cors-header by: doing pip install django-cors-headers

  2. Add corsheaders to you installed apps

    INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'MyApp',
'crispy_forms',
'corsheaders',
]

  3. Add the corsheader Middleware to your middleware

    MIDDLEWARE = [
'**corsheaders.middleware.CorsMiddleware**',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]

4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Oreximena
  • 131
  • 1
  • 9
3

Apr, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code below to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got the similar error to above:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
0

This issue can also occur if you have Cloudflare's SSL/TLS encryption mode set to Flexible. Instead of the site actually being served through Https, Cloudflare was modifying the http site and setting SSL on its end. This led to a failure of CSRF mechanism, and I kept seeing this error, whatever my CSRF settings were. Toggling off the setting immediately fixed the error.

Joel G Mathew
  • 7,561
  • 15
  • 54
  • 86