CSRF验证失败 - 在主机安全的情况下,引用者不安全 [英] CSRF verification Failed - Referer is insecure while host is secure
问题描述
引用者检查失败 - 引导者在主机安全时不安全。
生产中的一切都正常。
以下是我的settings.py文件的一段代码:
SECURE_PROXY_SSL_HEADER =('HTTP_X_FORWARDED_PROTO','https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
您的 settings.py 文件中的这些行因为您使用附加到您的域的SSL证书而在生产中是正常的。但是,在本地,您可能使用 http:// localhost:8000 或类似的东西。如果您尝试通过 https:// localhost:{{YOUR_PORT_NUMBER}} 连接,您很可能会收到错误,如 ERR_SSL_PROTOCOL_ERROR 。
问题出在 django / django / middleware / csrf.py 。当您在制作中使用 https 时, request.is_secure() 正在返回 True ...这需要 HTTP_REFERER 也是如此,否则您将收到引用的错误。
一个解决方案是调整您的 settings.py 文件,具体取决于您是否在您的本地或生产环境中。这样,您可以将这三行添加到导入localhost和生产服务器通用的其他设置的 settings_production.py 文件中。您的本地主机将使用不包括这些行的不同设置。
I upgraded Django from 1.8 to 1.9. Afterwards, I get this error on my localhost after the Django admin login:
Referer checking failed - Referer is insecure while host is secure.
Everything works fine in production. Below is a snippet of my settings.py file:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
Those lines in your settings.py file are fine on production because you're using an SSL certificate attached to your domain. However, on local you're probably using http://localhost:8000 or something similar. If you try to connect via https://localhost:{{YOUR_PORT_NUMBER}} you'll most likely get an error like ERR_SSL_PROTOCOL_ERROR.
The issue is in lines 167-168 of django/django/middleware/csrf.py. When you're using https on production, request.is_secure() is returning True...which requires that the HTTP_REFERER also be true or you'll get the error you referenced.
One solution would be to adjust your settings.py file depending on whether you're in your local or production environment. That way you can add those three lines to a settings_production.py file that imports other settings that are common to both localhost and your production server. Your localhost would use a different set of settings that don't include those lines.
这篇关于CSRF验证失败 - 在主机安全的情况下,引用者不安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
