Opened 8 weeks ago
Closed 8 weeks ago
#35805 closed Bug (invalid)
CSRF errors when using custom domains but not when using azure default domain
Reported by: | Dan Martinez | Owned by: | |
---|---|---|---|
Component: | CSRF | Version: | 5.0 |
Severity: | Normal | Keywords: | CSRF custom-domain CORS azure |
Cc: | Dan Martinez | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Deployed as web app in Azure and added my custom purchased (namecheap.com) domain name, lets call it 'i-heart-java.com'. I added the custom domain URL into the ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS lists, both as https and http, including with extra 'www.' entries. App pulls up successfully on those URL's and my page works for the most part, except when logging into any part of the app VIA MY CUSTOM DOMAIN, otherwise login works fine with the azure default domain. Error shows:
2024-09-24T14:24:35.1649753Z Forbidden (Origin checking failed - https://www.mydomain.com does not match any trusted origins.): /admin/login/
Followed the documentation and have searched this issue to find I am (so far) the only one encountering it. My Settings file details are below and I have tried to mix and match these related Booleans with no luck:
ALLOWED_HOSTS = [ 'https://127.0.0.1:8000', '127.0.0.1', 'https://mydomain-XXX.eastus-0X.azurewebsites.net/, # <- Azure default domain (logins work with no csrf errors here) "http://mydomain.com", 'https://mydomain.com', "http://www.mydomain.com", 'https://www.mydomain.com, ..others.., ] SESSION_COOKIE_SECURE = True SECURE_SSL_REDIRECT = False CORS_ALLOW_ALL_ORIGINS = True CSRF_COOKIE_SECURE = True CSRF_COOKIE_HTTPONLY = True CSRF_USE_SESSIONS = True SESSION_COOKIE_DOMAIN = '.charotte100.com' SESSION_COOKIE_SECURE = True CSRF_TRUSTED_ORIGINS=[ "https://mydomain.com", "http://mydomain.com", "https://www.mydomain.com", "http://www.mydomain.com", ..others.., ]
I am not using any reverse proxy like Nginx and have the bog standard CSRF middle ware installed and am running via the standard gunicorn app command. Can anyone shed any light on whether this is a possible Django issue or if my configuration is correct or if this is possibly a custom domain DNS issue?
See TicketClosingReasons/UseSupportChannels for ways to get help.