27👍
TLDR: Try to use the csrf_exempt decorator for your view:
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_webhook(request):
# Do some stuffs...
# Return an HHTPResponse as Django expects a response from the view
return HttpResponse(status=200)
You should only do this when absolutely needed to avoid potential security flaws.
More context:
I faced a similar problem while working on a web-hook called by a third-party which is a payment solution. The Django view for that web-hook is called by the third-party to notify us every time the payment status changes (goes from ‘open’ to ‘paid’ for example).
As the payment platform only provides a payment ID in the request POST, the CSRF check should not be performed. Django allows you to do this through the csrf_exempt decorator.
0👍
Upgrading Django might fix the missing Referer error (as it’s sent voluntarily by the client depending on Referrer-Policy).
As of Django 4.0 (release notes), the backend will first check the Origin header before falling back to the Referer header (source):
CsrfViewMiddlewareverifies the Origin header, if provided by the browser, against the current host and theCSRF_TRUSTED_ORIGINSsetting. This provides protection against cross-subdomain attacks.- In addition, for HTTPS requests, if the
Originheader isn’t provided,CsrfViewMiddlewareperforms strict referer checking. This means that even if a subdomain can set or modify cookies on your domain, it can’t force a user to post to your application since that request won’t come from your own exact domain.
- [Django]-Do django db_index migrations run concurrently?
- [Django]-Is there a way to loop over two lists simultaneously in django?
- [Django]-Django apps aren't loaded yet when using asgi