django nginx getting csrf verification error in production over http

Question

I've just deployed my django project on AWS with nginx. Everything works well except for when when I try to make any POST requests (over just http), I get the error:

"Forbidden (403) CSRF verification failed. Request aborted."

CSRF verification works if I run my server directly using Django which leads me to think that I did not set up my nginx.conf correctly.
Can someone give some guidance as to how I can configure nginx to work with csrf?
Here's my current config:

#nginx.conf
upstream django {
    # connect to this socket
    server unix:///tmp/uwsgi.sock;    # for a file socket
    #server 127.0.0.1:8001;      # for a web port socket
    }
server {
    # the port your site will be served on
    listen 80;

    root /opt/apps/site-env/site;

    # the domain name it will serve for
    server_name mysite.org

    charset     utf-8;

    #Max upload size
    client_max_body_size 75M;   # adjust to taste

    location /media  {
            alias /opt/apps/site-env/site/media; 
    }

    location /static {
            alias /opt/apps/site-env/site/static;     
    }

    location / {
    uwsgi_pass  django;

    include     /etc/nginx/uwsgi_params; 

    proxy_pass_header X-CSRFToken;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto http;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header HOST $http_host;
    proxy_set_header X-NginX-Proxy true;


    }

}    

I've also turned off both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE in my django settings.

Thanks

Answer 1

When you're issuing posts from javascript, ensure that settings.CSRF_COOKIE_HTTPONLY is set to False

Snippet from [1]: "Whether to use HttpOnly flag on the CSRF cookie. If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie."

[1] https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-httponly