Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

We Are Going To Discuss About Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins. So lets Start this Python Article.

Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

  1. How to solve Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

    Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.
    If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.
    CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']
    Review this line for any changes needed, for example if you need to swap out https for http.
    Root cause is the addition of origin header checking in 4.0.
    https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins
    Changed in Django 4.0:
    Origin header checking isn’t performed in older versions.

  2. Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins

    Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.
    If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.
    CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']
    Review this line for any changes needed, for example if you need to swap out https for http.
    Root cause is the addition of origin header checking in 4.0.
    https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins
    Changed in Django 4.0:
    Origin header checking isn’t performed in older versions.

Solution 1

Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.

If you are on 4.0, this was my fix. Add this line to your settings.py. This was not required when I was using 3.2 and now I can’t POST a form containing a CSRF without it.

CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']

Review this line for any changes needed, for example if you need to swap out https for http.

Root cause is the addition of origin header checking in 4.0.

https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Changed in Django 4.0:

Origin header checking isn’t performed in older versions.

Original Author Ryan McGrath Of This Content

Solution 2

Mar, 2022 Update:

If your django version is “4.x.x”:

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed – https://example.com does not
match any trusted origins.

Add this code to “settings.py”:

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got this error:

Origin checking failed – https://praktikum6.jhoncena.repl.co does not
match any trusted origins.

So, you need to add this code to your “settings.py”:

CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']

Original Author Kai – Kazuya Ito Of This Content

Solution 3

Origin and host are the same domain

If, like me, you are getting this error when the origin and the host are the same domain.

It could be because:

  1. You are serving your django app over HTTPS,
  2. Your django app is behind a proxy e.g. Nginx,
  3. You have forgotten to set SECURE_PROXY_SSL_HEADER in your settings.py e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') and/or
  4. You have forgotten to set the header in your server configuration e.g. proxy_set_header X-Forwarded-Proto https; for Nginx.

In this case:

  • The origin header from the client’s browser will be https://www.example.com due to 1.
  • request.is_secure() is returning False due to 2, 3 and 4.
  • Meaning _origin_verified() returns False because of line 285 of django.middleware.csrf (comparison of https://www.example.com to http://www.example.com):
    def _origin_verified(self, request):
        request_origin = request.META["HTTP_ORIGIN"]
        try:
            good_host = request.get_host()
        except DisallowedHost:
            pass
        else:
            good_origin = "%s://%s" % (
                "https" if request.is_secure() else "http",
                good_host,
            )
            if request_origin == good_origin:
                return True

Make sure you read the warning in https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header before changing this setting though!

Original Author Chris Of This Content

Conclusion

So This is all About This Tutorial. Hope This Tutorial Helped You. Thank You.

Also Read,

ittutorial team

I am an Information Technology Engineer. I have Completed my MCA And I have 4 Year Plus Experience, I am a web developer with knowledge of multiple back-end platforms Like PHP, Node.js, Python and frontend JavaScript frameworks Like Angular, React, and Vue.

Leave a Comment