65

Help

Reason given for failure:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
Erico Fahri
  • 651
  • 1
  • 3
  • 3

5 Answers5

168

Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.

If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.

CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']

Review this line for any changes needed, for example if you need to swap out https for http.

Root cause is the addition of origin header checking in 4.0.

https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Changed in Django 4.0:

Origin header checking isn’t performed in older versions.

Ryan McGrath
  • 2,180
  • 1
  • 11
  • 10
  • sir, i am trying to make request to django from localhost:300 (reactjs) and I have added CSRF_TRUSTED_ORIGINS = ['http://localhost:3000/'] , but it's still saying that Forbidden (Origin checking failed - http://localhost:3000 does not match any trusted origins.): /api/login/ , can you please help me with this – faijan memon Jan 06 '22 at 11:53
  • 2
    If I am already using the `ALLOWED_HOSTS` setting to get values set from environment variables, is there any reason to not just set `CSRF_TRUSTED_ORIGINS` to the same thing? IE `os.getenv('ALLOWED_HOSTS').split(',')`? – pspahn Sep 14 '22 at 22:01
  • This may work for some, but is not the only possible solution. See Chris's answer below. (`SECURE_PROXY_SSL_HEADER`) – Michael Herrmann Mar 07 '23 at 08:01
  • This should only be done if you're actually doing a cross-origin request (i.e. submitting a form to api.example.com from a page on site.example.com). If you're not attempting to do this (rare) action, then it's likely the `SECURE_PROXY_SSL_HEADER` setting as described in another answer. – Kenny Loveall May 08 '23 at 18:28
48

Mar, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got this error:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
  • This should only be done if you're actually doing a cross-origin request (i.e. submitting a form to api.example.com from a page on site.example.com). If you're not attempting to do this (rare) action, then it's likely the `SECURE_PROXY_SSL_HEADER` setting as described in another answer. – Kenny Loveall May 08 '23 at 18:28
39

Origin and host are the same domain

If, like me, you are getting this error when the origin and the host are the same domain.

It could be because:

  1. You are serving your django app over HTTPS,
  2. Your django app is behind a proxy e.g. Nginx,
  3. You have forgotten to set SECURE_PROXY_SSL_HEADER in your settings.py e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') and/or
  4. You have forgotten to set the header in your server configuration e.g. proxy_set_header X-Forwarded-Proto https; for Nginx.

In this case:

  • The origin header from the client's browser will be https://www.example.com due to 1.
  • request.is_secure() is returning False due to 2, 3 and 4.
  • Meaning _origin_verified() returns False because of line 285 of django.middleware.csrf (comparison of https://www.example.com to http://www.example.com):
    def _origin_verified(self, request):
        request_origin = request.META["HTTP_ORIGIN"]
        try:
            good_host = request.get_host()
        except DisallowedHost:
            pass
        else:
            good_origin = "%s://%s" % (
                "https" if request.is_secure() else "http",
                good_host,
            )
            if request_origin == good_origin:
                return True

Make sure you read the warning in https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header before changing this setting though!

Chris
  • 567
  • 1
  • 6
  • 10
  • 3
    Actually, this answer is correct way to fix this error. It fixes two issues one is this CSRF check and other is `request.is_secure()` value, which it should return `True` in this case. By updating `CSRF_TRUSTED_ORIGINS`, you would fix it, but i would consider it as hack, it solves only this problem. – Akshay Pratap Singh Jul 18 '22 at 16:50
  • 1
    This is the correct answer for most cases. And even if you’re not running the web host, deployment platforms like fly.io do, and they send your app these headers. – Nils Aug 13 '22 at 15:58
  • but what if we want to make a login form work on HTTP? – Conor Sep 10 '22 at 13:42
  • It worked for me after this setup in NGINX: add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; – jesus.saad Dec 27 '22 at 17:49
  • I spent a week trying to figure out the issue. This answer solved it. I can remove `@csrf_exempt` now! – tumultous_rooster Jan 18 '23 at 23:04
0

You can also have this error because you are using a container on Proxmox.
If your https domain name is routed by Proxmox via an internal http connection you will have this error.

DOMAIN NAME (https) => Proxmox => (http) => Container with Django : CSRF ERROR

I had this error, and change the routing via Proxmox to my container via an https internal connection (I had to create and sign a certificate on my CT).

DOMAIN NAME (hhtps) => Proxmox => (https) => Container with Django

Since the CSRF error on Django disappeared.

G.Lebret
  • 2,826
  • 2
  • 16
  • 27
0

If someone using .env with you've to use env.list()

One have to set CSRF origins like this in .env

CSRF_TRUSTED_ORIGINS=one.example.com two.example.com

and access it in settings.py like this

CSRF_TRUSTED_ORIGINS = env.list('CSRF_TRUSTED_ORIGINS')
Ankit Tiwari
  • 4,438
  • 4
  • 14
  • 41