1👍
CloudFront removes the referer header before sending the request to the server. The following link specifies how each header is treated: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-custom-headers-behavior
Using the AWS CLI, I had to configure my CloudFront distribution to forward the request header as well as the csrftoken, since cookies aren’t forwarded either. Instructions can be found here:
https://devcenter.heroku.com/articles/edge#cloudfront-configuration
The ForwardedValues section of my config looked like this:
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "whitelist",
"WhitelistedNames": {
"Quantity": 2,
"Items": [
"_app_session",
"csrftoken",
]
}
},
"Headers": {
"Quantity": 2,
"Items": [
"Origin",
"Referer"
]
},
"QueryStringCacheKeys": {
"Quantity": 0
}
}
I also had to update my django settings file to include
CSRF_TRUSTED_ORIGINS = [<CLOUDFRONT_URL>]
Note: Although the above instructions solved my issue in the original question, I did have to forward additional cookies such as "sessionid" and "messages" to get other features of the django app working.