Django: CSRF verification failed. Request aborted

Question

The called view function is like this

def parsing(request):
    url = request.POST['url']
    ...
    return HttpResponse(json.dumps(resultDict))

When I make a post request to it via the following code,

import requests
url = 'http://tv.cntv.cn/video/C12278/a7ea7c0e810b4701bf1d3f5254b8a26a'
c = requests.post("http://127.0.0.1:8000/VideoParser/", data={'url': url})
print(c.text)

then the request failed and it just give out the following HTML code,

<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
</head>
<body>
<div id="summary">
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>


  <p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
  <p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for &#39;same-origin&#39; requests.</p>

</div>

<div id="info">
  <h2>Help</h2>
    
    <p>Reason given for failure:</p>
    <pre>
    CSRF cookie not set.
    </pre>
    

  <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
  <a
  href="https://docs.djangoproject.com/en/1.9/ref/csrf/">Django's
  CSRF mechanism</a> has not been used correctly.  For POST forms, you need to
  ensure:</p>

  <ul>
    <li>Your browser is accepting cookies.</li>

    <li>The view function passes a <code>request</code> to the template's <a
    href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
    method.</li>

    <li>In the template, there is a <code>{% csrf_token
    %}</code> template tag inside each POST form that
    targets an internal URL.</li>

    <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
    <code>csrf_protect</code> on any views that use the <code>csrf_token</code>
    template tag, as well as those that accept the POST data.</li>

  </ul>

  <p>You're seeing the help section of this page because you have <code>DEBUG =
  True</code> in your Django settings file. Change that to <code>False</code>,
  and only the initial error message will be displayed.  </p>

  <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>

</body>
</html>

It seems reason given for failure is

CSRF cookie not set.

however, my app doesn't involve any cookie and template explicitly during the whole process, anyone can help fix the problem ? I am just a beginning Django learner .

Answer 1

Just remove "django.middleware.csrf.CsrfViewMiddleware" from MIDDLEWARE_CLASSES in your settings.py

Answer 2

You have two option fro this problem

First:-

If you want to use csrf authentication you must need to add cookie in every request coming from the front end for that you need to add following sniipet in your front end code

function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie != '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = jQuery.trim(cookies[i]);
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) == (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
}
var csrftoken = getCookie('csrftoken');

and pass this csrftoken in your Ajax call or angular service as a header.

Second :-

And if your getting cross-header error so if it is denying your request to django server then just do pip install django-cors-headers and modify settings.py with

INSTALLED_APPS = (
    ...
    'corsheaders',
    ...
)


MIDDLEWARE_CLASSES = (
    ...
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    ...
)

Hope so it ill help you !!

Answer 3

You can use csrf_exempt decorator for your view:

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def parsing(request):
    url = request.POST['url']
    ...
    return HttpResponse(json.dumps(resultDict))

From the docs:

This decorator marks a view as being exempt from the protection ensured by the middleware.

You can read more about csrf protection here

Answer 4

You are using a POST request, which is protected again CSRF's attacks by requesting a token.

You can read more about CSRF tokens at Django docs : https://docs.djangoproject.com/en/1.9/ref/csrf/