{"detail":"CSRF Failed: Referer checking failed - no Referer."}

[SvetlanaM]

Hi, when I call in Windows Phone application request like this

PUT /rest-auth/user/ HTTP/1.1 Authorization: Basic ********== Content-Type: application/json Host: dimensions2016.herokuapp.com Connection: close User-Agent: Paw/2.3.3 (Macintosh; OS X/10.10.5) GCDHTTPRequest Content-Length: 56

{"username":"******","first_name":"martina0"}

I got this error {"detail":"CSRF Failed: Referer checking failed - no Referer."} .

[Devansh3790]

Hi, I am facing same problem. There is no issue when using http, problem occurring over https. and i am request through android app.

[SvetlanaM]

I have one solution for this, where I have found in comments in similar issues #164

[cmelone]

This happened to me too, and I was using postman. CSRF is disabled in Django REST by default, and postman was sending the csrf token to django, which caused this error.

See this stackoverflow answer: https://stackoverflow.com/a/19347110/9137820

[atleta]

Just debugged this for our mobile dev. The problem is, indeed that the client (in his case paw) sends the Cookie header (which includes the CSRF token) but not a Referer. And this will be rejected by Django if the target URL is an https one. The solution is to either set a referer (It should be https and the same host and port as the API url you are testing) or to disable sending the cookies.

[karltaylor]

I've added referrer: {apiUrl} to my fetch() and I'm still getting this error.

[karltaylor]

@cmelone was correct.

I had cookies for my api url in Postman, I also had a CSRF token cookie on chrome for the same domain because I was logged into the admin backend.

Once I removed these I could login to my app fine.

What a strange bug!

[Nerdsie]

@karltaylor Assuming you copy pasted what you added, django actually spells it referer. That might be why adding referrer to your fetch didn't work

[blairg23]

This helped me (or problem turned out to be due to Postman, not django-rest-auth): https://avilpage.com/2019/02/django-tips-csrf-token-postman-curl.html

[alxmrtnz]

@karltaylor , I'm curious, how/where did you add referer to your fetch()?

[mir1198yusuf]

Just debugged this for our mobile dev. The problem is, indeed that the client (in his case paw) sends the Cookie heather (which includes the CSRF token) but not a Referer. And this will be rejected by Django if the target URL is an https one. The solution is to either set a referer (It should be https and the same host and port as the API url you are testing) or to disable sending the cookies.

How to disable sending cookies while using axios in React Native ? I am using same axios call in React JS and it is working fine but not working in React Native. Even at Django side, I have no logic dependent on CSRF. Also, using curl or httpie library works fine, but only for React Native it does not work. Thanks

[henryliangt]

Just debugged this for our mobile dev. The problem is, indeed that the client (in his case paw) sends the Cookie heather (which includes the CSRF token) but not a Referer. And this will be rejected by Django if the target URL is an https one. The solution is to either set a referer (It should be https and the same host and port as the API url you are testing) or to disable sending the cookies.

---

so far I think this is the best explanation. if you have time, plz try to make it more clear how to solve it.

I am sending a post in a form. I am not really sure how to set a referer in a form submit.

so that many people will be helped.

cheers.

[mir1198yusuf]

@henryliangt see this https://stackoverflow.com/questions/64180084/react-native-axios-django-csrf-failed-referer-checking-failed-no-referer also see my comments for this question - https://stackoverflow.com/a/50735730/9254735

[atleta]

@henryliangt

Well, this was 3 years ago, but your comment at least helps me remember I see this issue next time :). I think my description is pretty detailed and does include a pretty clear solution: set the referrer header. Now how you do it, really depends on the client you are working with, so I couldn't have possibly made it any more specific. But that's a separate issue everyone can look up for their own case. Whether that's a python library, an iOS app, an android app (with one of the HTTP libraries) or even say a native windows app.

I you are POST-ing that form from the browser, then look up that case. I think browsers do send referrers by default, but it can be configured/disabled. E.g. Firefox doesn't seem to send it in private browsing mode. (Which is an interesting source of bugs to be aware of.)

However, if you are doing an AJAX query then you may have to set the header manually. Again, refer to your JS HTTP library documentation (axios or whatever you use). If I were you, I'd probably try to make a request from the command line with curl first (with the correct referrer header) and if that works, then make the client do the same too.

[henryliangt]

@henryliangt see this https://stackoverflow.com/questions/64180084/react-native-axios-django-csrf-failed-referer-checking-failed-no-referer also see my comments for this question - https://stackoverflow.com/a/50735730/9254735

thank you, very helpful.

[henryliangt]

@henryliangt

Well, this was 3 years ago, but your comment at least helps me remember I see this issue next time :). I think my description is pretty detailed and does include a pretty clear solution: set the referrer header. Now how you do it, really depends on the client you are working with, so I couldn't have possibly made it any more specific. But that's a separate issue everyone can look up for their own case. Whether that's a python library, an iOS app, an android app (with one of the HTTP libraries) or even say a native windows app.

I you are POST-ing that form from the browser, then look up that case. I think browsers do send referrers by default, but it can be configured/disabled. E.g. Firefox doesn't seem to send it in private browsing mode. (Which is an interesting source of bugs to be aware of.)

However, if you are doing an AJAX query then you may have to set the header manually. Again, refer to your JS HTTP library documentation (axios or whatever you use). If I were you, I'd probably try to make a request from the command line with curl first (with the correct referrer header) and if that works, then make the client do the same too.

thank you for the very patient reply.

already fix it.

[geeshta]

@karltaylor The default Referrer-Policy ind Django is same-origin so the browser won't send the Referer header even when you add it to the fetch() call (at least it didn't for me). I needed to add SECURE_REFERRER_POLICY = "strict-origin" to the Django settings.

Maybe this will help someone in the future.

[celinemol]

I am able to successfully POST against my Django API with Postman when I properly set Cookie, X-CSRFTOKEN, and Referer in my header. I am trying to replicate the same request in my chrome extension, but like @geeshta the browser won't send the Referer header even when I added it to the fetch() call so I am still getting {detail: "CSRF Failed: Referer checking failed - no Referer."}. I tried added SECURE_REFERRER_POLICY = "strict-origin" to my Django settings, and I can see that it's taken hold because my Response Headers now show Referrer-Policy: 'strict-origin' but still I am not seeing the Referer showing up in my Request Headers. @geeshta was there anything else that you did to get this to work?

[SvetlanaM]

hello, is this problem still actual? or we can close the issue?

[TRIGAH]

it is