Search code examples
reactjsdjangoamazon-ec2django-rest-frameworkdjango-deployment

Django deployment error on console when opening through Public IP

I am deploying a django site for the first time on aws ubuntu linux ec2 instance. I used Apache and mySQL database. I was able to successfully deploy the site and it was accessible through my public IP but it gave a warning in the Chrome console:

[Deprecation] The website requested a subresource from a network that it could only access because of its users' privileged network position. These requests expose non-public devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage. To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts, and will start blocking them in Chrome 92 (July 2021).

My project uses Django Rest Framework to post and get requests. I have used react for frontend so I use its build folder as a template in django and my frontend sends request to the public ip of my server. I am also attaching my settings.py file in case any of my settings might be a problem.

I read somewhere that using a domain name would solve this error but I wasn't sure whether the issue was the same as mine. Also if this is the case then would I have to change the request url to my domain name instead of the public ip in my react build. This is my first time deploying a django site so any suggestions for my settings for deployment are appreciated. Thanks in advance. In case you guys need any more information please tell.

settings.py

ALLOWED_HOSTS = ['OUR PUBLIC IP']
SECURE_HSTS_SECONDS = 31536000
SECURE_SSL_REDIRECT = False
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
WHITENOISE_USE_FINDERS = True
INSTALLED_APPS = [
    'whitenoise.runserver_nostatic',
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    ...our apps
    'django_otp',
    'django_otp.plugins.otp_totp',
]
MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django_otp.middleware.OTPMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
..database and other stuff
STATIC_URL = '/static/'
STATICFILES_DIRS = [
    os.path.join(BASE_DIR, 'build/static')
]
STATIC_ROOT = os.path.join(BASE_DIR, 'static')
REST_FRAMEWORK = {
    'DEFAULT_RENDERER_CLASSES': (
        'rest_framework.renderers.JSONRenderer',
    ),
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticatedOrReadOnly',
    ]
}
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
Solution

  • The warning went away after assigning a domain to the server.