CSRF验证不适用于使用HTTPS的Django [英] CSRF validation does not work on Django using HTTPS

问题描述

我正在开发一个前端为AngularJS API的应用程序，该应用程序向Django Rest Framework中开发的后端API发出请求。

I am developing an application which the frontend is an AngularJS API that makes requests to the backend API developed in Django Rest Framework.

The frontend is on the domain: https://front.bluemix.net
And my backend is on the domain: https://back.bluemix.net

我在从前端API向后端API发出请求时遇到问题。错误是这样的：

I am having problems making requests from the frontend API to the backend API. The error is this:

Error: CSRF Failed: Referer checking failed - https://front.bluemix.net does not match any trusted origins.

我正在使用CORS，并且已经在Django后端的settings.py中添加了以下几行API：

I am using CORS and I have already included the following lines in my settings.py in the Django backend API:

ALLOWED_HOSTS = []

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True


CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

CORS_REPLACE_HTTPS_REFERER = True

CSRF_COOKIE_DOMAIN = 'bluemix.net'

CORS_ORIGIN_WHITELIST = (
    'https://front.bluemix.net/',
    'front.bluemix.net',
    'bluemix.net',
)

任何人都知道如何解决该问题吗？

Anyone knows how to solve this problem?

推荐答案

您的 CSRF_TRUSTED_ORIGINS 设置是错误的-将其更改为：

Your CSRF_TRUSTED_ORIGINS setting is wrong - change it to:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

此设置需要仅主机名，而不是方案。无论如何，方案是多余的，因为该设置仅在通过HTTPS连接时才有效。

The setting requires a hostname only, not a scheme. A scheme is redundant anyway because the setting only has any effect when connecting over HTTPS.

您可能还需要将某些内容放入 ALLOWED_HOSTS ...

You probably also need to put something in ALLOWED_HOSTS...

这篇关于CSRF验证不适用于使用HTTPS的Django的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！