Getting 403 Forbidden error on post requests when serving django app on Amazon cloud front through heroku
I have a django app deployed in heroku, which was working previously, however after adding the Edge add-on, which serves your static files from Amazon cloudfront for caching, all of my post requests are getting 403 errors.
I do pass the csrf token correctly, as my post requests still work when not served from cloudfront, but on cloudfront I am getting the error that the CSRF Verification failed
It also mentions that the referer header is missing, however I can see referer specified in the request headers in the network tab of the developer tools.
Any idea what I am missing here?
CloudFront removes the referer header before sending the request to the server. The following link specifies how each header is treated: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-custom-headers-behavior
Using the AWS CLI, I had to configure my CloudFront distribution to forward the request header as well as the csrftoken, since cookies aren't forwarded either. Instructions can be found here: https://devcenter.heroku.com/articles/edge#cloudfront-configuration
The ForwardedValues section of my config looked like this:
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "whitelist",
"WhitelistedNames": {
"Quantity": 2,
"Items": [
"_app_session",
"csrftoken",
]
}
},
"Headers": {
"Quantity": 2,
"Items": [
"Origin",
"Referer"
]
},
"QueryStringCacheKeys": {
"Quantity": 0
}
}
I also had to update my django settings file to include
CSRF_TRUSTED_ORIGINS = [<CLOUDFRONT_URL>]
Note: Although the above instructions solved my issue in the original question, I did have to forward additional cookies such as "sessionid" and "messages" to get other features of the django app working.
- django: on pypy, psyco, unladen swallow or cpython, which one is the fastest?
- Password Reset functionality inheriting from Django clases - reverse url issues ('uidb64')
- how to log a file in Django
- Using filters with model inheritance
- How to render a pdf file as pdf in browser using django
- django.db.utils.ProgrammingError: relation "bot_trade" does not exist
- Django DRF: @permission_classes not working
- How to prevent bleach from escaping > (blockquote) tag used in Markdown
- how to solve django.db.utils.NotSupportedError in django
- CSRF cookie error after Django 3.2 update (DRF with token authentication)
- How to make an Inner Join in django?
- Object of type ListSerializer is not JSON serializable
- How to get the common name for a pytz timezone eg. EST/EDT for America/New_York
- How to serialize user permissions in Django Rest Framework?
- Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding, when trying to start uwsgi
- Error attempting to deploy my Django app on Vercel
- Complex query using Django QuerySets
- How to call asynchronous function in Django?
- Django Sitemaps : Get only pages of the current website
- How to manage.py loaddata in Django
- 'Invalid filter: 'length_is' Error in Django Template – How to Fix?
- How to call OneToOneField reverse relationship in template (django)?
- Django Rest Framework POST Update if existing or create
- Django: get current manage.py command
- Change Django ModelChoiceField to show users' full names rather than usernames
- How to do aggregate raw sql with julian date in sqlite (with django)
- Django send excel file to Celery Task. Error InMemoryUploadedFile
- Monitoring django rest framework api on production server
- Interactive Graphviz graphs in a web application
- Django: Not Found static/admin/css