Django REST Framework CSRF Failed: CSRF cookie not set

Question

I am using the django rest framework to perform API calls via IOS and I get the following error "CSRF Failed: CSRF cookie not set."

Here's my django API code:

class LoginView(APIView):
    """
    List all snippets, or create a new snippet.
    """
    @csrf_exempt
    def get(self, request, format=None):
        startups = Startup.objects.all()
        serializer = StartupSerializer(startups, many=True)
        return Response(serializer.data)

    @csrf_exempt
    def post(self, request, format=None):
        profile = request.POST
....

What can I do?

Answer 1

It took a while to find out but i had to just rearrange my urls. I was using Token based authentication but still getting the error until i put the admin site urls at the bottom. Alternatively you could add admin/ to avoid the error

urlpatterns = [
path('api/v1/', include([
    path('client/', include('client.urls')),
]), name="api"),
path('', admin.site.urls, name="admin"),

] In settings.py add this

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_RENDERER_CLASSES': [
    'rest_framework.renderers.JSONRenderer',
    'rest_framework.renderers.AdminRenderer',
],
'PAGE_SIZE': 20

}

Answer 2

I've had the same issue. My problem was that I forgot to put .as_view() in urls.py on MyAPIView. So it have to be like:

url(r'$', GetLikesAPI.as_view(), name='list')

not:

url(r'$', GetLikesAPI, name='list')

Answer 3

For GETs, you shouldn't be modifying data, so a CSRF isn't required.

If you are modifying data with a POST, then you SHOULD have a CSRF if you are using session based authentication. Otherwise, you're opening up a security hole. Even though you think your Django server is going to be servicing iPhone apps, there's nothing to stop someone with your app from sniffing the packets on the traffic to your server, and then reverse engineering access to the server with other kinds of web clients. For this reason, Django Rest Framework requires a CSRF in some cases. This is mentioned in the Django rest framework documentation.

The path around this requirement for POSTs is to not use session authentication. For example, you could use BasicAuthentication over HTTPS. With this authentication mechanism, you should use HTTPS to prevent credentials from being passed in the clear with every request.

Answer 4

urlpatterns = patterns('',
       url('^login/$', csrf_exempt(views.LoginView.as_view())),
       ...
)

Guys. I had the same error and spent a lot of time just for finding that: 1) I had another router with 'login' and there i missed '$'. I mean sometimes you can forget something in routing and get this error.

Answer 5

In my case it happend because I sent put request to url='http://example.com/list/5' without slash at the end. When I changed url to url='http://example.com/list/5/' all started to work.

Answer 6

The problem you encounter here is that django for processing your view is using whatever as_view() method will return, not directly method get() or post().

Therefore you should decorate your class-based view in one of following ways:

1. In urls.py

    urlpatterns = patterns('',
        url('^login/$', csrf_exempt(views.LoginView.as_view())),
        ...
    )

2. or on dispatch() method (pre django 1.9)

    from django.utils.decorators import method_decorator

    class LoginView(APIView):
       @method_decorator(csrf_exempt)
       def dispatch(self, *args, **kwargs):
           ...

3. or on class view itself (from django 1.9)

    from django.utils.decorators import method_decorator


    @method_decorator(csrf_exempt, name='dispatch')
    class LoginView(APIView):
           ...

Answer 7

This is an old question but something we ran into recently.

DRF disables CSRF by default, unless using session authentication. By default NSURLconnection is set up to handle cookies. You need to explicitly tell the iOS app to not use cookies. Then you can keep using session auth if needed and not have to csrf exempt your views.

Answer 8

If anyone is still following this question, the direct answer is that you need to use the decorator on the view method itself. The get and post methods defined on the APIView class just tell DRF how the actual view should behave, but the view method that the django router expects is not actually instantiated until you call LoginView.as_view().

Thus, the solution is to add the csrf_exempt decorator to urls.py. It might look as follows:

#file: urls.py

from django.conf.urls import patterns, url
from django.views.decorators.csrf import csrf_exempt

import views

urlpatterns = patterns('',
    url('^login/$', csrf_exempt(views.LoginView.as_view())),
    ...
)

However, as Mark points out above, csrf protection is important to prevent your sessions from being hijacked. I haven't worked with iOS myself, but I would look into using django's cookie-based csrf tokens. You can use the ensure_csrf_cookie decorator to make django send a csrftoken cookie with a response, and your POST requests will validate as long as you include that token as an X-CSRFToken header.