Help
Reason given for failure:
Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.
Check if you are using Django 4.0. I was using 3.2 and had this break for the upgrade to 4.0.
If you are on 4.0, this was my fix. Add this line to your settings.py
. This was not required when I was using 3.2 and now I can't POST a form containing a CSRF without it.
CSRF_TRUSTED_ORIGINS = ['https://*.mydomain.com','https://*.127.0.0.1']
Review this line for any changes needed, for example if you need to swap out https
for http
.
Root cause is the addition of origin header checking in 4.0.
https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins
Changed in Django 4.0:
Origin header checking isn’t performed in older versions.
If your django version is "4.x.x":
python -m django --version
// 4.x.x
Then, if the error is as shown below:
Origin checking failed - https://example.com does not match any trusted origins.
Add this code to "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://example.com']
In your case, you got this error:
Origin checking failed - https://praktikum6.jhoncena.repl.co does not match any trusted origins.
So, you need to add this code to your "settings.py":
CSRF_TRUSTED_ORIGINS = ['https://praktikum6.jhoncena.repl.co']
If, like me, you are getting this error when the origin and the host are the same domain.
It could be because:
settings.py
e.g. SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
and/orproxy_set_header X-Forwarded-Proto https;
for Nginx.In this case:
https://www.example.com
due to 1.request.is_secure()
is returning False
due to 2, 3 and 4._origin_verified()
returns False
because of line 285 of django.middleware.csrf (comparison of https://www.example.com
to http://www.example.com
): def _origin_verified(self, request):
request_origin = request.META["HTTP_ORIGIN"]
try:
good_host = request.get_host()
except DisallowedHost:
pass
else:
good_origin = "%s://%s" % (
"https" if request.is_secure() else "http",
good_host,
)
if request_origin == good_origin:
return True
Make sure you read the warning in https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header before changing this setting though!