Develop Reference

Django app runs locally but I get CSRF verification failed on Heroku

My app runs fine at heroku local but after deployed to Heroku, every time I try to login/register/login as admin, it returns this error shown below.
I have tried to put #csrf_exempt on profile views, but that didn't fix the issue.
What can I do?

The error message is fairly self-explanatory (please excuse typos as I can't copy from an image):
Origin checking failed - https://pacific-coast-78888.herokuapp.com does not match any trusted origins
The domain you are using is not a trusted origin for CSRF.
There is then a link to the documentation, which I suspect goes to the Django CSRF documentation, though the documentation for the CSRF_TRUSTED_ORIGINS setting might be more useful:
A list of trusted origins for unsafe requests (e.g. POST).
For requests that include the Origin header, Django’s CSRF protection requires that header match the origin present in the Host header.
Look in your settings.py for CSRF_TRUSTED_ORIGINS and add https://pacific-coast-78888.herokuapp.com to the list. If that setting doesn't already exist, simply add it:
CSRF_TRUSTED_ORIGINS = ["https://pacific-coast-78888.herokuapp.com"]

If Heroku uses django "4.x.x" version:
Then, if the error is as shown below:
Origin checking failed - https://example.com does not match any trusted origins.
Add this code below to "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://example.com']
In your case, you got this error:
Origin checking failed - https://pacific-coast-78888.herokuapp.com does not match any trusted origins.
So, you need to add this code below to your "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://pacific-coast-78888.herokuapp.com']

It appears you do not have your heroku address as a trusted origin in the setting.py file of your project, to do this, you can use corsheaders
pip install django-cors-headers
then in your settings.py file
INSTALLED_APPS = [
...
'corsheaders',
...
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
...
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
]
If you were not yet deployed you could add CORS_ORIGIN_ALLOW_ALL = True but because you know where your app is deployed using a whitelist for the origins is a much better idea
CORS_ORIGIN_WHITELIST = (
'https://pacific-coast-78888.herokuapp.com',
)

CORS header missing when project hosted in a Subpath

I have a Django(v2.2) project hosted on an url which looks like
https://some.example.com/mypath/ which has an API endpoint at blog/create.
I need to make a POST request from https://some.example.com/anotherpath/ofmine/ (using axios), but that gives me a 301 error with the following messages in Firefox 71.0:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://some.example.com/mypath/blog/create/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://some.example.com/mypath/blog/create/. (Reason: CORS request did not succeed).
However, I can easily make the same requests to a dev server hosted locally.
Relevant settings:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'rest_framework_docs',
'corsheaders',
'django_extensions',
...
]
USE_X_FORWARDED_HOST = True
FORCE_SCRIPT_NAME = '/mypath'
CORS_ORIGIN_ALLOW_ALL = True
What could be the reason and possible workarounds for the error?

According to the django-cors-headers docs, you need to set the CORS_ORIGIN_WHITELIST to include your endpoint(s), or set CORS_ORIGIN_ALLOW_ALL to True to allow all hosts (not recommended for production though).

Stupid mistake. some.example.com redirects to www.some.example.com so I'd been trying to access APIs at some.example.com (which doesn't exist, hence the 301) from www.some.example.com. Prefixed the www on the request url and it's working fine; I don't even need CORS headers, of course.

wrong behavior of uwsgi and CSRF_TRUSTED_ORIGINS in django [duplicate]

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.
The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net
I am having problems making requests from the frontend API to the backend API. The error is this:
Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.
I am using CORS and I have already included the following lines in my settings.py in the Django backend API:
ALLOWED_HOSTS = []
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']
CORS_REPLACE_HTTPS_REFERER = True
CSRF_COOKIE_DOMAIN = 'bluemix.net'
CORS_ORIGIN_WHITELIST = (
'https://front.bluemix.net/',
'front.bluemix.net',
'bluemix.net',
)
Anyone knows how to solve this problem?

Django 4.0 and above
For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Django 3.2 and lower
For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:
CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']
You probably also need to put something in ALLOWED_HOSTS...

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.
CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']
to
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.
SOLUTION TO MY PROBLEM - it might help somebody
the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:
Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.
That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.
Removing the cookie was obviously fixing the problem.

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes
install cors-header by: doing
pip install django-cors-headers
Add corsheaders to you installed apps
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'MyApp',
'crispy_forms',
'corsheaders',
]
Add the corsheader Middleware to your middleware
MIDDLEWARE = [
'**corsheaders.middleware.CorsMiddleware**',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
4 Set the origin
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Apr, 2022 Update:
If your django version is "4.x.x":
python -m django --version
// 4.x.x
Then, if the error is as shown below:
Origin checking failed - https://example.com does not match any trusted origins.
Add this code below to "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://example.com']
In your case, you got the similar error to above:
Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.
So, you need to add this code to your "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

I was also facing this issue. Ensure that the domain name does not contain the trailing slash. Instead of
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']
Change it to
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Using django subdomain and it says localhost does not belong to the domain example.com

I'm using the Django Package django-subdomain, and I don't think I've configured it correctly.
Now that I'm trying to load data from the DB I'm getting this error in the terminal
The host localhost:8000 does not belong to the domain example.com, unable to identify the subdomain for this request
I don't have any references to example.com in my project.
Here's my subdomain config:
ROOT_URLCONF = 'creativeflow.urls'
# A dictionary of urlconf module paths, keyed by their subdomain.
SUBDOMAIN_URLCONFS = {
None: ROOT_URLCONF, # no subdomain, e.g. ``example.com``
'www': ROOT_URLCONF,
'blog': ROOT_URLCONF + '.blogs',
}
SITE_ID = 1
Middleware:
MIDDLEWARE_CLASSES = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'subdomains.middleware.SubdomainURLRoutingMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
My urls:
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^posts/(?P<year>\d{4})/(?P<months>\d{2}|\w{3})/(?P<day>\d{2})',
BlogListView.as_view(paginate_by=25), name="blog-list-view"),
]
I'm not certain of what other config I need to let me use/develop with subdomains. What do I need to change so I can access the BlogListView at http://localhost:8000/posts/2016/07/09 ? Or better via the actual subdomain of blog.creativeflow.com/posts/2016/07/09 ? I suspect the latter is just a simple change to the windows equivalent of /etc/hosts/.

SITE = 1 will correspond to the default example.com set by django.contrib.site.
django.contrib.sites registers a post_migrate signal handler which creates a default site named example.com with the domain example.com. This site will also be created after Django creates the test database.
This is stored in the DB so there's no way to set this purely in config.
To set it in the DB, follow the steps here:
>>> from django.contrib.sites.models import Site
>>> one = Site.objects.all()[0]
>>> one.domain = 'myveryspecialdomain.com'
>>> one.name = 'My Special Site Name'
>>> one.save()
Then you can run python manage.py dumpdata sites which produces a JSON of the data you've just loaded. Then later load it using django-admin loaddata fixture [fixture ...]. Otherwise you can set it via the admin interface, under the Site app.
This will display as example.org before it's fixed:
Change these:
That should fix the issue.

Why have you set SITE_ID = 1?
From the Django Docs for django.contrib.site:
django.contrib.sites registers a post_migrate signal handler which creates a default site named example.com with the domain example.com. This site will also be created after Django creates the test database.
You need to specify the correct SITE_ID for your current site.

What do I need to change so I can access the BlogListView at
http://localhost:8000/posts/2016/07/09 ? Or better via the actual
subdomain of blog.creativeflow.com
I've set up my linode with subdomains pointed to different apps and sites. I did this by configuring NGINX webserver and uWSGI web app daemon in "emperor" mode.
To test django-subdomain locally this question on adding subdomains to localhost may help.

Django Localhost CORS not working

I have a local Django setup as follows
Django Rest Framework:localhost:8000
AngularJS frontend:local apache running on http://localservername
I've installed django-cors-headers and in my settings.py, I've setup my
CORS_ORIGIN_WHITELIST = (
'http://localhost',
'localservername',
'http://localservername',
'127.0.0.1'
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
However, I get a No 'Access-Control-Allow-Origin' header is present on the requested resource. error whenever I hit any API that's served from the Rest Framework. If I set CORS_ORIGIN_ALLOW_ALL = True, then the API's work correctly but that's highly insecure for my server side data.
What do I have to change to fix this?

Here in this error the hint is clearly mentioning that it needs https://
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
Moreover, it is also true that braces matters in django settings.
CORS_ORIGIN_WHITELIST = [
'https://localhost:3000'
]
And the above settings work fine.
While the same settings with different brackets won't work
CORS_ORIGIN_WHITELIST = (
'https://localhost:3000'
)

For me i used [] instead of ().
Also don't add a '/' at the end url.
Something like this
CORS_ORIGIN_WHITELIST = [
'http://localhost:3000'
]

I had the same problem. By browsing the django-cors-headers-code found my mistake was the following:
While a complete CORS-header looks like this (notice schema AND hostname):
Access-Control-Allow-Origin: https://example.com
The CORS_ORIGIN_WHITELIST setting wants it in a format that compares to urlparse.netloc (docs) of the Origin-header, which is only the host (possibly the port)
def origin_found_in_white_lists(self, origin, url):
return (
url.netloc in conf.CORS_ORIGIN_WHITELIST or
(origin == 'null' and origin in conf.CORS_ORIGIN_WHITELIST) or
self.regex_domain_match(origin)
)
While the RegEx-whitelist compares it against the complete Origin-header.
So the correct setting (as the example in the setup-manual correctly states, but not properly describes) would be:
CORS_ORIGIN_WHITELIST = (
'example.com',
)
Which can be a problem if you do not want your API to talk to the non-secure http-version of a website. Use the RegEx in that case.
Also note: during troubleshooting I found out that the CORS-header is completely absent if no match is found. Which means that absence of the header is not a sure indication of a complete malfunction of the middleware, but maybe just a misconfiguration.

As per http://www.w3.org/Security/wiki/Same_Origin_Policy, the requests should be from same port, scheme, and host to be considered as same origin. Here one of your server is in port 80 and the other one is on 8080.
An origin is defined by the scheme, host, and port of a URL. Generally
speaking, documents retrieved from distinct origins are isolated from
each other. For example, if a document retrieved from
http://example.com/doc.html tries to access the DOM of a document
retrieved from https://example.com/target.html, the user agent will
disallow access because the origin of the first document, (http,
example.com, 80), does not match the origin of the second document
(https, example.com, 443).

This works for me, Please check with this, it may help you to resolve your issue.
CORS_ORIGIN_WHITELIST = (
'http://localhost',
)

Braces matter for me,use [] instead of (),
I have verified in Django,
others I haven't checked.
Write Like This:
CORS_ORIGIN_WHITELIST=[
'https://localhost:3000'
]

CORS_ORIGIN_WHITELIST=[ 'https://localhost:3000' ] it works fine.

Writing like
CORS_ORIGIN_WHITELIST = [ 'https://localhost:3000' ]
worked fine for me.

Copy the whitelist code from the django-cors-headers documentation, and then just modify it:
CORS_ORIGIN_WHITELIST = [
"https://example.com",
"https://sub.example.com",
"http://localhost:8080",
"http://127.0.0.1:9000"
]
That will guarantee you that you didn't make any typos.

Make sure that not to add path /, like following:
CORS_ORIGIN_WHITELIST = (
'https://localhost:3000/'
)
Just add the following code instead.
CORS_ORIGIN_WHITELIST = [
'https://localhost:3000'
]

maybe braces matter
[] instead of ()
CORS_ORIGIN_WHITELIST = [
'http://localhost',
'localservername',
'http://localservername',
'127.0.0.1'
]
should work

I think the best way to do solve this error is :-
Type the URL in the browser, for eg :-
If you are running an angular app, then do,
ng serve
and type the URL given by "ng serve" command into the browser. for eg :-
localhost:4200
then, Copy the URL from the browser and paste as it is in the cors allowed host. eg :-
CORS_ALLOWED_ORIGINS = [
'http://localhost:4200',
]
Note :- Don't forget to Remove the last "/" sign from the URL, so instead of,
http://localhost:4200/
add this :- http://localhost:4200
And after this, you'll see no error.

I fixed this by fixing the order in:
INSTALLED_APPS = [
...
'corsheaders',
'image_cropping',
'easy_thumbnails',
...
'rest_framework',
...
]
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
]

install Django cors package
django-cors-headers
go to settings.py and add it to installed apps
INSTALLED_APPS = [
.....
'corsheaders',
]
add it to the middleware
MIDDLEWARE = [
........
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
]
Most important step
add this right below the middleware without a slash at the end
CORS_ORIGIN_WHITELIST = ['http://localhost:3000']