After updating from Django 2 to Django 4.0.1 I am getting CSRF errors on all POST requests. The logs show:
"WARNING:django.security.csrf:Forbidden (Origin checking failed - https://127.0.0.1 does not match any trusted origins.): /activate/"
I can't figure out how to set a wildcard for CSRF_TRUSTED_ORIGINS? I have a server shipped to customers who host it on their own domain so there is no way for me to no the origin before hand. I have tried the following with no luck:
CSRF_TRUSTED_ORIGINS = ["https://*", "http://*"]
and
CSRF_TRUSTED_ORIGINS = ["*"]
Explicitly setting "https://127.0.0.1" in the CSRF_TRUSTED_ORIGINS works but won't work in my customer's production deployment which will get another hostname.
CodePudding user response:
Yes, it had changed in the 4.0 version as you can see here here
Changed in Django 4.0:
The values in older versions must only include the hostname (possibly with a leading dot) and not the scheme or an asterisk.
Also, Origin header checking isn’t performed in older versions.
Note: you are not supposed to use * in production.
CodePudding user response:
The Django app is running using Gunicorn behind NGINX. Because SSL is terminated after NGINX request.is_secure() returns false which results in Origin header not matching the host here:
I resolved the issue by adding the following in Django:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
And ensured that NGINX is forwarding the http scheme with the following in my NGINX conf:
proxy_set_header X-Forwarded-Proto $scheme;