CSRF Failing
See original GitHub issueI’m having an issue with the CSRF
failing inconsistently.
Here are the modules that I have installed:
Django == 1.7.4
Cors Headers == 1.0.0
Rest Framework == 3.0.2
I have this in my settings.py
INSTALLED_APPS = (
...,
'corsheaders',
...
)
MIDDLEWARE_CLASSES = (
...,
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
)
CORS_ORIGIN_ALLOW_ALL = True
CORS_URLS_REGEX = r'^/api/.*$'
The issue that I’m getting is CSRF Failed: CSRF token missing or incorrect
from the server, however; this is happening inconsistently. Sometimes, the CSRF
will not file but after an hour or less, it starts to fail again.
Could this be because of Rest Framework 3
or Django 1.7
?
Issue Analytics
- State:
- Created 9 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
CSRF Failed: CSRF token missing or incorrect - Stack Overflow
When you are using SessionAuthentication, you are using Django's authentication which usually requires CSRF to be checked. Django REST Framework enforces ...
Read more >CSRF Protection Problem and How to Fix it - freeCodeCamp
CSRF is an acronym for Cross-Site Request Forgery. It is a vector of attack that attackers commonly use to get into your system....
Read more >CSRF Error Explained. - Yabdab Inc. Support - Zendesk
CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. In short, it means that if you have your site at...
Read more >Cross Site Request Forgery protection - Django documentation
Due to the CSRF protection's strict referer checking on HTTPS requests, those techniques cause a CSRF failure on requests with 'unsafe' methods.
Read more >What Is Cross-Site Request Forgery (CSRF) and ... - Synopsys
A CSRF attack targets Web applications failing to differentiate between valid requests and forged requests controlled by attacker.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes please open another issue. I’m not sure but I think just disabling CSRF is the sensible thing, since we’re explicitly allowing cross-site requests. Also most people use CORS to protect API’s which take JSON, rather than html form data, which is what CSRF is mostly about protecting.
Well, Django docs actually does not address this issue. There, it is suggested that you read the CSRF token from the cookie on the API server, but in a cors setting this is not possible.
That is, if I have two servers, API server and the cross-origin server, the cross-origin server cannot access the cookies of the API server, hence cannot set the X-CSRF header.
The only way I can think of is to add another endpoint to the API server that returns the CSRF token in a GET request, and then save that in the cross-origin server’s code and use that in further POST requests, however that doesn’t seem very secure according to https://github.com/pillarjs/understanding-csrf/
Also see https://github.com/pillarjs/understanding-csrf/issues/6 .
Here, it seems to suggest that having a special endpoint for /csrf seems OK as long as we only allow CORS access from the cross-origin server we explicitly manage.
However, I am still not sure what the best way to deal with CSRF in a CORS setting. Should we just ignore CSRF for CORS? Some pointers in the docs regarding that would be helpful. I can open another issue for that if you like.