Search code examples
pythondjangopostgresqldjango-csrf

CSRF verification failed. Request aborted - Django, POST

I'm using Server: Django, Gunicorn, ngnix, postgresql

   Client: Chrome Advanced Rest Client

views.py

  from django.views.decorators.csrf import csrf_exempt, **ensure_csrf_cookie**  # Newly added
  from django.http import HttpResponse

  **@ensure_csrf_cookie**   # newly added
  def hello(request):
     return HttpResponse("Hello world")


  def hi(request):
     return HttpResponse("Hi World")

  def display_meta(request):
     values = request.META.items()
     values.sort()
     html = []
     for k, v in values:
       html.append('<tr><td>%s</td><td>%s</td></tr>' % (k, v))
     return HttpResponse('<table>%s</table>' % '\n'.join(html))

  def addUser(request):
    if request.method == 'POST':
    # Convert JSON to python objects and
    # store into the DB
    print 'Raw Json "%s"' % request.body
    #return HttpResponse("%s" %request.body)
    return HttpResponse("Thank God")

url.py

from django.conf.urls import patterns, include, url
from django.contrib import admin
from requests import hello, hi, addUser, display_meta

urlpatterns = patterns('',
    # Examples:
    # url(r'^$', 'testProject.views.home', name='home'),
    # url(r'^blog/', include('blog.urls')),
    url(r'^hello/$', hello),
    url(r'^hi/$', hi),
    url(r'^admin/', include(admin.site.urls)),
    url(r'^addPatient/$', addUser),
    url(r'^displaymeta/$', display_meta),
)

manage.py

# Application definition

INSTALLED_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'dbTransactions',
)

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
                                                              27,18         35%

From Advance Rest Client:

a) GET to hi works fine no error b) POST to addUser gives "CSRF verification failed. Request aborted"

What I tried:

  1. @csrf_exempt in views. - No change in the POST same error
  2. Putting X-CSRF-Token - in POST Header - No change in the POST same error

I would greatly appreciate help on this. I've already read:

Solution

  • Thank you for the response. I learnt following things about CSRF, Django and Chrome Advanced Rest API Client.

    a. CSRF - Cross Site Request Forgery is way to protect malicious transaction specially POST, PUT, DELETE on the authenticated connection between client and the server.

    b. Django allows GET with CSRF token but it fails for any POST, PUT or DELETE.

    c. To obtain CSRF token in the response for GET one can use @ensure_csrf_cookie which will make sure response has CSRF token.

    d. For POST from Chrome's Advanced REST Client, one has to use X-CSRFTOKEN and token obtained from the response of the GET command.