1

I need for my Django app to be able to receive unsolicited POST requests, without the CSRF token. This question has been asked before here, but the answer given, implementing a class based view with functions get and post has not helped me.

This is my view class:

class WebHooks(TemplateView):

    def get(self, request):
        return HttpResponse("get")

    def post(self, request):
        return HttpResponse("post")

I also added the directive

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

to my httpd.conf for Apache and set the CSRF_USE_SESSION constant in Django's settings.py to False.

Testing this with Postman keeps returning "get". The server access log reads POST /url HTTP/1.1" 403 3366.

How do I enable POST requests?

EDIT:

I did some local testing on the server and found that it must be Apache that's screwing me here. Sending a post request to Django's delevopment server returned "post" while returning "get" on the Apache server.

EDIT2:

It seems Apache redirects all traffic by default. To enable it to forward POST requests to the django app I need the mod_proxy and mod_rewrite modules according to this question. I loaded the modules and edited my VirtualHost to look like this:

<VirtualHost *:443>
    RewriteEngine On
    RewriteRule /proxy/(.*)$ https://www.my.domain/$1 [P,L]
    ServerName my.domain
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile "path/to/cert"
    SSLCertificateKeyFile "path/to/key"
</VirtualHost>

I am still unsure in which Directory directive to place the lines

    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted

POST requests still get turned into GET requests...

EDIT3:

After writing EDIT2 I reread my question and noticed that my problem went from django refusing a POST request to Apache turning POST requests to GET requests. I don't know why. This is highly confusing to me.

Tharrry
  • 619
  • 1
  • 7
  • 23
  • Use `@csrf_exempt` decorator. https://docs.djangoproject.com/en/3.1/ref/csrf/#django.views.decorators.csrf.csrf_exempt – Dimitar Aug 31 '20 at 13:44
  • Sadly this works neither in class based, nor in function based view for me – Tharrry Aug 31 '20 at 14:47
  • For class based it is like this `@method_decorator(csrf_exempt, name='dispatch')`. But if it doesn't work in function based view maybe that's not the issue. – Dimitar Aug 31 '20 at 14:52

2 Answers2

0

Comment out django.middleware.csrf.CsrfViewMiddleware in the MIDDLEWARE entry in settings.py of your django project.

I tried curl -X POST localhost:8000/ after adding a trivial post to a class-based view. It returned the famous 403 CSRF verification failed.

After commenting out the above middleware the post method was invoked.

Ramon
  • 89
  • 1
  • 3
-2

Had a simlar problem the easiest fix is to disable the firewall to get the the GET and POST working

Adrian
  • 1
  • 1
    I think that proposing anyone to disable firewall is the worst idea possible as it will affect security of whole app instead of permitting posting into one view. Also the question doesn't say anything about firewall, waf or used OS. – Dawid Bugajewski Sep 17 '20 at 09:29
  • Firewall is not related to CSRF token. CSRF token is just a cookie. – mrvol Sep 19 '20 at 11:38