CSRF validation does not work on Django using HTTPS


I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:





CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']


CSRF_COOKIE_DOMAIN = 'bluemix.net'


Anyone knows how to solve this problem?

Asked By: ccr



Django 4.0 and above

For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Django 3.2 and lower

For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

You probably also need to put something in ALLOWED_HOSTS

Answered By: solarissmoke

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don’t need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM – it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Answered By: Tysoncete

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']


Answered By: stenius

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

  1. install cors-header by: doing
    pip install django-cors-headers

  2. Add corsheaders to you installed apps

  3. Add the corsheader Middleware to your middleware


4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Answered By: Oreximena

Apr, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed – https://example.com does not match any trusted origins.

Add this code below to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got the similar error to above:

Error: CSRF Failed: Referer checking failed – https://front.bluemix.net does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Answered By: Kai – Kazuya Ito

I was also facing this issue. Ensure that the domain name does not contain the trailing slash. Instead of

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

Change it to

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']
Answered By: Enock Simiyu