Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

Question

Help

Reason given for failure:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

Answer 1

If you are using CloudFlare as a proxy between your server and the user, and you are using HTTPS, then you may be experiencing this issue.

In one of your templates, add this code to debug this issue:

is_secure: {{ request.is_secure }}

Load your website over HTTPS. You should see is_secure: True. If you see is_secure: False, then there is an issue that can cause this problem.

Since CloudFlare sets the X-Forwarded-Proto header and we trust all requests are coming through CloudFlare, set this:

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

(If you can't trust that all requests are coming through CloudFlare, then this is dangerous to set, see the documentation.)

Open your CloudFlare settings in your web browser, and navigate to SSL/TLS. Make sure your encryption mode is not "Flexible" but is "Full" or "Full (strict)". That way, the connection between your server and CloudFlare is over HTTPS. Your server will need to support HTTPS for this to work.

Now, when you load a page over HTTPS, you should see: is_secure: True, and this CSRF issue should resolve itself.

Answer 2

If you are doing a cross-origin request, you may be seeing this error. For example, if you are submitting a form to api.example.com from a web page on site.example.com, this is a cross-origin request and it may cause this error. (If you are not doing a cross-origin request, but you are doing a normal request through HTTPS, then see the other answers.)

Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.

If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.

CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']

Review this line for any changes needed, for example if you need to swap out https for http.

Root cause is the addition of origin header checking in 4.0.

https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Changed in Django 4.0:

Origin header checking isn’t performed in older versions.

Answer 3

Origin and host are the same domain

If, like me, you are getting this error when the origin and the host are the same domain.

It could be because:

1. You are serving your django app over HTTPS,
2. Your django app is behind a proxy e.g. Nginx,
3. You have forgotten to set SECURE_PROXY_SSL_HEADER in your settings.py e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') and/or
4. You have forgotten to set the header in your server configuration e.g. proxy_set_header X-Forwarded-Proto https; for Nginx.

In this case:

• The origin header from the client's browser will be https://www.example.com due to 1.
• request.is_secure() is returning False due to 2, 3 and 4.
• Meaning _origin_verified() returns False because of line 285 of django.middleware.csrf (comparison of https://www.example.com to http://www.example.com):

    def _origin_verified(self, request):
        request_origin = request.META["HTTP_ORIGIN"]
        try:
            good_host = request.get_host()
        except DisallowedHost:
            pass
        else:
            good_origin = "%s://%s" % (
                "https" if request.is_secure() else "http",
                good_host,
            )
            if request_origin == good_origin:
                return True

Make sure you read the warning in https://docs.djangoproject.com/en/stable/ref/settings/#secure-proxy-ssl-header before changing this setting though!

Answer 4

Mar, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed - https://example.com does not match any trusted origins.

Add this code to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got this error:

Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']

Answer 5

You can also have this error because you are using a container on Proxmox.
If your https domain name is routed by Proxmox via an internal http connection you will have this error.

DOMAIN NAME (https) => Proxmox => (http) => Container with Django : CSRF ERROR

I had this error, and change the routing via Proxmox to my container via an https internal connection (I had to create and sign a certificate on my CT).

DOMAIN NAME (hhtps) => Proxmox => (https) => Container with Django

Since the CSRF error on Django disappeared.