Why doesn't Django's CSRF work over HTTPS?

Question

I have a Django website at http://example.com that works fine, including post requests. I've added HTTPS so my site is accessible at https://example.com too.

I can load any page on HTTPS, but I always get CSRF validation errors when I try to POST. POST requests work fine on HTTP.

My Django process is running with gunicorn behind nginx, and I have nginx setting X_Forwarded_For. So, an HTTPS request has the following headers (taken from request.META):

'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5',
'HTTP_CONNECTION': 'close',
'HTTP_COOKIE': 'redacted',
'HTTP_HOST': 'example.com:80',
'HTTP_REFERER': 'https://example.com/user/delete/49/',
'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0',
'HTTP_X_FORWARDED_FOR': '1.2.3.4, 192.168.252.22',
'HTTP_X_FORWARDED_PROTO': 'https',
'HTTP_X_REAL_IP': '1.2.3.4',

and an HTTP request has the following headers:

'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5',
'HTTP_CONNECTION': 'close',
'HTTP_COOKIE': 'redacted',
'HTTP_HOST': 'example.com.com:80',
'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0',
'HTTP_X_FORWARDED_FOR': '1.2.3.4, 192.168.252.22',
'HTTP_X_FORWARDED_PROTO': 'http',
'HTTP_X_REAL_IP': '1.2.3.4',

Why doesn't CSRF work on HTTPS when I have no problems over HTTP?

Wilfred Hughes · Accepted Answer · 2013-12-10T15:30:45.807

11

Turns out it was an nginx configuration issue. My server setup is:

nginx -> nginx -> gunicorn

On the second nginx system, I had

proxy_set_header        Host            $host:$server_port;

However, since HTTPS is terminated at the first nginx, $server_port was always 80.

On HTTPS, Django does strict referer checking (see point 4). Looking at the Django source:

good_referer = 'https://%s/' % request.get_host()
if not same_origin(referer, good_referer):
    reason = REASON_BAD_REFERER % (referer, good_referer)
    logger.warning('Forbidden (%s): %s', reason, request.path,
        extra={
            'status_code': 403,
            'request': request,
        }
    )
    return self._reject(request, reason)

CSRF validation was failing because "https://example.com/" != "https://example.com:80/".

edited Dec 10 '13 at 15:30

answered Oct 25 '13 at 15:26

Wilfred Hughes

29,846
15
139
192

17

what is the solution? – varnothing Feb 16 '16 at 06:01
it's awesome :D – anjaneyulubatta505 Sep 05 '18 at 06:15
1

I met the same problem which error message is `CSRF Failed: Referer checking failed - https://example.com:port/ does not match any trusted origins.`. My simple solution is setting CSRF_TRUSTED_ORIGINS = ['example.com:port'] – lily LIU Aug 09 '19 at 03:25
I solved it copying config from https://mattsegal.dev/nginx-django-reverse-proxy-config.html – Leopd Aug 31 '21 at 00:29

score 3 · Answer 2 · answered Oct 30 '19 at 10:48

Like mentioned here I solved this problem by adding the following Django constants in settings.py so Django considers proxy headers:

# Setup support for proxy headers
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

score 0 · Answer 3 · answered Sep 13 '21 at 19:45

0

Your CSRF_TRUSTED_ORIGINS setting is wrong - change it to:

CSRF_TRUSTED_ORIGINS = ['similarchords.com', 'www.similarchords.com']

answered Sep 13 '21 at 19:45

Sanjay Sikdar

435
4
10

score 0 · Answer 4 · answered Feb 23 '22 at 16:15

In my case I had a public host with HTTPS but the internal host was HTTP so forwarding https://myhost.com/path/ to http://internal-host.myhost.com/path failed. Here is how the config was:

location @proxy_to_app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # the following means the $scheme e.g. https is forwarded
    # disabling this fixes the problem
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://app_server;
}

score 0 · Answer 5 · edited Jun 09 '23 at 18:36

0

this code worked for me

CSRF_TRUSTED_ORIGINS = [
    'https://domain name',
    
]

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True

edited Jun 09 '23 at 18:36

Virb

1,639
1
16
25

answered Jun 08 '23 at 05:14

Sorker Limon

1
1

score -2 · Answer 6 · answered Nov 13 '14 at 13:02

-2

If you look at the implementation of CsrfViewMiddleware

Django checks for 'Referer' header when request.is_secure()

good_referer = 'https://%s/' % request.get_host()
if not same_origin(referer, good_referer):
    reason = REASON_BAD_REFERER % (referer, good_referer)
    return self._reject(request, reason)

answered Nov 13 '14 at 13:02

Nam Ngo

2,093
1
23
30

2

what is the solution? – varnothing Feb 16 '16 at 06:01

Why doesn't Django's CSRF work over HTTPS?

6 Answers6