[Django]-CSRF validation does not work on Django using HTTPS

If you are running Django 4.x, you need to change the syntax to include the schema as part of the value.

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']
to
CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

https://docs.djangoproject.com/en/dev/releases/4.0/#format-change

I was also facing this issue. Ensure that the domain name does not contain the trailing slash. Instead of

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net/']

Change it to

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don’t need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM – it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

According to this documentation. https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes

1. install cors-header by: doing
   pip install django-cors-headers

2. Add corsheaders to you installed apps

   INSTALLED_APPS = [
   'django.contrib.admin',
   'django.contrib.auth',
   'django.contrib.contenttypes',
   'django.contrib.sessions',
   'django.contrib.messages',
   'django.contrib.staticfiles',
   'MyApp',
   'crispy_forms',
   'corsheaders',
   ]
   

3. Add the corsheader Middleware to your middleware

   MIDDLEWARE = [
   '**corsheaders.middleware.CorsMiddleware**',
   'django.middleware.security.SecurityMiddleware',
   'django.contrib.sessions.middleware.SessionMiddleware',
   'django.middleware.common.CommonMiddleware',
   'django.middleware.csrf.CsrfViewMiddleware',
   'django.contrib.auth.middleware.AuthenticationMiddleware',
   'django.contrib.messages.middleware.MessageMiddleware',
   'django.middleware.clickjacking.XFrameOptionsMiddleware',
    ]
   

4 Set the origin

 CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Apr, 2022 Update:

If your django version is "4.x.x":

python -m django --version

// 4.x.x

Then, if the error is as shown below:

Origin checking failed – https://example.com does not match any trusted origins.

Add this code below to "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://example.com']

In your case, you got the similar error to above:

Error: CSRF Failed: Referer checking failed – https://front.bluemix.net does not match any trusted origins.

So, you need to add this code to your "settings.py":

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

This issue can also occur if you have Cloudflare’s SSL/TLS encryption mode set to Flexible. Instead of the site actually being served through Https, Cloudflare was modifying the http site and setting SSL on its end. This led to a failure of CSRF mechanism, and I kept seeing this error, whatever my CSRF settings were. Toggling off the setting immediately fixed the error.

If you are using for example Flexible TLS/SSL Setting in Cloudflare, put following in your Django settings.py:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')