CSRF Failing

[koralarts]

I'm having an issue with the CSRF failing inconsistently.

Here are the modules that I have installed:

• Django == 1.7.4
• Cors Headers == 1.0.0
• Rest Framework == 3.0.2

I have this in my settings.py

INSTALLED_APPS = (
   ...,
   'corsheaders',
   ...
)

MIDDLEWARE_CLASSES = (
   ...,
   'corsheaders.middleware.CorsMiddleware',
   'django.middleware.common.CommonMiddleware',
   ...
)

CORS_ORIGIN_ALLOW_ALL = True
CORS_URLS_REGEX = r'^/api/.*$'

The issue that I'm getting is CSRF Failed: CSRF token missing or incorrect from the server, however; this is happening inconsistently. Sometimes, the CSRF will not file but after an hour or less, it starts to fail again.

Could this be because of Rest Framework 3 or Django 1.7?

[brad]

Is it failing on POST requests only? I had that problem and found that I had to add the csrf token from the API server to the AJAX request header named X-CSRFToken. To get the token, in the API view I added the token to the response in a header.

[danielmbaluka]

@brad how did you solve this in the APIView? Some code snippet?

[adamchainz]

Django has some docs on adding this to all AJAX requests: https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax

Hope that helps, closing this issue as it's old

[ustun]

Well, Django docs actually does not address this issue. There, it is suggested that you read the CSRF token from the cookie on the API server, but in a cors setting this is not possible.

That is, if I have two servers, API server and the cross-origin server, the cross-origin server cannot access the cookies of the API server, hence cannot set the X-CSRF header.

The only way I can think of is to add another endpoint to the API server that returns the CSRF token in a GET request, and then save that in the cross-origin server's code and use that in further POST requests, however that doesn't seem very secure according to https://github.com/pillarjs/understanding-csrf/

Also see pillarjs/understanding-csrf#6 .

Here, it seems to suggest that having a special endpoint for /csrf seems OK as long as we only allow CORS access from the cross-origin server we explicitly manage.

However, I am still not sure what the best way to deal with CSRF in a CORS setting. Should we just ignore CSRF for CORS? Some pointers in the docs regarding that would be helpful. I can open another issue for that if you like.

[adamchainz]

Yes please open another issue. I'm not sure but I think just disabling CSRF is the sensible thing, since we're explicitly allowing cross-site requests. Also most people use CORS to protect API's which take JSON, rather than html form data, which is what CSRF is mostly about protecting.