1

I have a simple Django webhook that keeps returning a 403 forbidden despite I have marked it with csrf_exempt.

Here is the relevant code:

urls.py

 ...
 url(r'^mail/$', MailView.as_view(), name="mail"),
 ...

view.py

class MailView(View):
    @csrf_exempt
    def dispatch(self, *args, **kwargs):
        return super(MailTrackingView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
        return HttpResponse(status=204)

When sending data to this endpoint, Django gives a 

Forbidden (CSRF cookie not set.): /mail/

What else do I have to set so the CSRF validation is not performed?

wasp256
  • 5,943
  • 12
  • 72
  • 119

2 Answers2

0

I believe you have to wrap it inside method_decorator Try

class MailView(View):
    @method_decorator(csrf_exempt))        
    def dispatch(self, *args, **kwargs):
        return super(MailTrackingView, self).dispatch(*args, **kwargs)

You cal also do:

@method_decorator(csrf_exempt, name='dispatch')
class MailView(View):

Update

Do you have CSRF_USE_SESSIONS set to True?

Here's the code I used to test it and it works as expected; if the decorator is commented out, I get a 403 CSRF failure, if it is left then my post succeeds.

View File

class MyView(View):

    @method_decorator(csrf_exempt)
    def dispatch(self, *args, **kwargs):
        return super(MyView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
        return HttpResponse(status=204)

    def get(self, request, *args, **kwargs):
        form = """
        Authenticated: {}
        <form method="post">
            <label for="your_name">Your name: </label>
            <input id="your_name" type="text" name="your_name">
            <input type="submit" value="OK">
        </form>
        """.format(request.user.is_authenticated())
        return HttpResponse(form)

URLs File

    url(r'^test/', views.MyView.as_view()),
rtindru
  • 5,107
  • 9
  • 41
  • 59
-1

Add { %csrf_token% } in your form in the template.

And declare: 

CSRF_COOKIE_SECURE = True

https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-secure