0

After installing SSL/https keys X-CSRFToken is dropped. I also setup http2. Before Https everything worked correctly but now I am getting 403 because CSRF token is missing. Can't find info addressing this particular issue. Thanks for any help.

support
  server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl on;
    server_name site.io www.site.io;

    # Use the Let's Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/site.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.io/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include /etc/nginx/snippets/ssl-params.conf;

    add_header Strict-Transport-Security max-age=500;

    access_log /home/nodejs/site.io/resuma_io_access.log;
    error_log /home/nodejs/site.io/resuma_io_error.log;
    root /home/nodejs/site.io/www/dist/client;

     location ~ ^/(api|user|auth|socket.io-client|sitemap.xml) {
          proxy_set_header   X-Real-IP            $remote_addr;
          proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
          proxy_set_header   X-Forwarded-Proto $scheme;
          proxy_set_header   Host                   $http_host;
          proxy_set_header   X-NginX-Proxy    true;
          proxy_set_header Upgrade $http_upgrade;
          proxy_ssl_session_reuse off;
          proxy_redirect off;
          proxy_set_header Connection 'upgrade';
          proxy_cache_bypass $http_upgrade;
          proxy_http_version 1.1;
          proxy_pass_header  X-CSRFToken;
          add_header X-Frame-Options SAMEORIGIN;
          sendfile  off;
          proxy_pass         http://nodejs_upstream;
        }
   }
user2814599
  • 1,060
  • 1
  • 13
  • 27
  • Were you able to find a workaround for this? I believe I'm also having the same issue. – user805981 Mar 31 '17 at 01:47
  • If you have the same settings as described above you are likely to have problem somewhere else. It did not work for me because X-CSRF Token was generated and set by backend on any first request. But since all files were served by nginx, there was no request to backend on initial page load for guest user. As a workaround I make one server request to create the token on initial page load. – user2814599 Apr 01 '17 at 13:15

2 Answers2

1

I have the same issue with Django running on Nginx SSL/https.

As mentioned by Bryan on Django CSRF check failing with an Ajax POST request. One other way to pass the csrftoken is to pass it through the parameters:

$.ajax({
data: {
    somedata: 'somedata',
    moredata: 'moredata',
    csrfmiddlewaretoken: mytoken
},

Where csrfmiddlewaretoken stands for the variable name used by your api to store the csrftoken (csrfmiddlewaretoken in django):

And mytoken is a variable initialized

  1. DOM: either using the token named variable of your api. In django, just add {% csrf_token %} in your html file. This will feed the csrfmiddlewaretoken variable, which will be accessible in jQuery

    mytoken = jQuery("[name=csrfmiddlewaretoken]").val();

  2. COOKIE: either by using a jQuery function which get the token from the cookie.

    mytoken = getCookie('csrftoken');

getCookie() function is mentioned in django doc in order to deal with CSRF POST with AJAX.

Of course, this does'nt solve the header issue with SSL but allow POST, PUT and DELETE request. It also require to pass through each $.ajax call to add the csrfmiddlewaretoken variable

openHBP
  • 627
  • 4
  • 11
0

Reading through my last search on stackoverflow I've found the real cause of the problem. In my case, it was not a header problem but a cookie one! CSRFToken was not in the cookie!

What Wtower answerd the 13/05/2015 on 403 Forbidden error when making an ajax Post request in Django framework is clearly explained.

CSRF_COOKIE_HTTPONLY = True in settings.py must be either removed or set to False!

If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie!

Viktova
  • 552
  • 7
  • 19
openHBP
  • 627
  • 4
  • 11