1

The request header is as below.

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:129
Content-Type:text/plain
Host:localhost:9000
Origin:http://localhost:8000
Referer:http://localhost:8000/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
X-CSRFTOKEN:t5Nx0SW9haZTeOcErcBDtaq6psqBfeyuX4LRQ1WOOXq5g93tQkvcUZDGoWz8wSeD

The X-CSRFTOKEN is there but Django still complain about CSRF cookie not set. What happen to Django?

In settings.py, the naming are perfectly correct.

CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
Mervyn Lee
  • 1,957
  • 4
  • 28
  • 54

1 Answers1

2

Check if CSRF_COOKIE_SECURE is set to true.

You would get such an error message if CSRF_COOKIE_SECURE is true and you access a site through http instead of https.
Or you need to use (for testing only) csrf_exempt.

For example, curtisp mentions in the comments:

I had conditional dev vs prod settings and accidentally put dev settings to CSRF_COOKIE_SECURE = True and SESSION_COOKIE_SECURE = True.
My dev site is localhost on laptop, and is does not have SSL.
So changing dev settings to False fixed it for me.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 1
    Tried it. I literally read through all related problem in stackoverflow and google but still no luck tho. – Mervyn Lee Oct 29 '17 at 09:20
  • @MervynLee Strange: did you try https://stackoverflow.com/a/30875830/6309 – VonC Oct 29 '17 at 09:22
  • They are facing the problem with DRF. I am actually sending a POST request to backend(django) for signup purpose, with reactjs. I spotted that by login into admin panel, the header is not x-csrf but is named Cookie:vcubes=JSfUYXtNIMa9NSDZWUMuVpclItFfpsaHGI8HRvznzMmszn5lH68Md9MdSEbOGdpB; sessionid=notinzk6uavo7c3zjpit484fj8dglag9. I am investigating this issue with this direction. I replaced the X-CSRF header name to Cookie but then it wont be appear in the browser F12. – Mervyn Lee Oct 29 '17 at 09:27
  • This helped me. I had conditional dev vs prod settings and accidentally put dev settings to CSRF_COOKIE_SECURE = True and SESSION_COOKIE_SECURE = True . My dev site is localhost on laptop and is does not have SSL. So changing dev settings to False fixed it for me. – curtisp Feb 07 '20 at 12:42
  • 1
    @curtisp Thank you for this feedback. I have included your comment in the answer for more visibility; – VonC Feb 07 '20 at 12:46