CSRF Failed: Referer checking failed - Referer is insecure while host is secure
aamirbhat opened this issue · comments
I have the https server and localhost as http on django 2.1.
I want frontend(React) and backend(Django) to work separately for dev environments
- Its always throw Referer is insecure while the host is secure
This is my settings configuration
CORS_ORIGIN_ALLOW_ALL = True
if my address is https://mydomain.abc.in
CSRF_TRUSTED_ORIGINS = [mydomain.abc.in]
CORS_ALLOW_CREDENTIALS = True
SESSION_COOKIE_SAMESITE = None
CORS_REPLACE_HTTPS_REFERER = True
Please let me know the issues
Did you correctly install corsheaders.middleware.CorsPostCsrfMiddleware ?
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.security.SecurityMiddleware',
# 'django.middleware.common.BrokenLinkEmailsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'corsheaders.middleware.CorsPostCsrfMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'impersonate.middleware.ImpersonateMiddleware', #todo remember to place this middleware after "django.contrib.auth.middleware"
'django.contrib.messages.middleware.MessageMiddleware',
# 'django.middleware.clickjacking.XFrameOptionsMiddleware',
'accounts.middleware.AutoLogout',
]
These are my middlewares
That looks fine. Please provide a complete traceback which will show where the error is raised.
This feature no longer appears to be working, the changes that enablingCORS_REPLACE_HTTPS_REFERER makes to request.META don't seem to carry over to the CsrfMiddleware.
I also see that #536 aims to deprecate this functionality entirely. Could you perhaps clarify @adamchainz ?
@voyc-jean I don't know why it would stop working as you describe.
Did you try using the CSRF_TRUSTED_ORIGINS setting as per the changelog note on that PR ? That would be the replacement for the CORS_REPLACE_HTTPS_REFERER hacky setting.
If it doesn't work, can you try debugging why the change wouldn't be made? Or provide a sample project.
@adamchainz Apologies, I somehow managed to miss the changelog note 🤦
The Referer scheme check (and subsequent rejection) appears to happen before CSRF_TRUSTED_ORIGINS is checked for good hosts.
Perhaps I am misunderstanding what CORS_REPLACE_HTTPS_REFERER is meant to do? In my case, I have a React frontend on http://frontend.service.com:3000 attempting a POST to my DRF API at https://api.service.com
However, when I attempt the POST request to https://api.service.com I receive a response of:
{"detail":"CSRF Failed: Referer checking failed - Referer is insecure while host is secure."}My settings are as follows:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'corsheaders.middleware.CorsPostCsrfMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware', '
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware'
]
CORS_ALLOWED_ORIGINS = ['http://frontend.service.com:3000']
CORS_ALLOW_CREDENTIALS = True
CORS_REPLACE_HTTPS_REFERER = True
CSRF_TRUSTED_ORIGINS = [
'frontend.service.com:3000',
'frontend.service.com'
]
Indeed you are misunderstanding. The error you're seeing is not possible to disable with any setting. See the Django source: https://github.com/django/django/blob/e02738bf55f66939be63f75d4fdcdc2ebc36e435/django/middleware/csrf.py#L250
Deploying your application with HTTPS is really your only option. Any workaround you find to disable that check will make your application insecure.
For development you can use a service like ngrok.
Given your issue is separate to the original one, and I never received a reply from @aamirbhat , I'm going to close this issue.