Cross Site Request Forgery Production

Using Django Mystery Errors
1

I received a 403 Forbidden Error.

It reads:
" In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

  • Your browser is accepting cookies.

  • The view function passes a request to the template’s render method. → I am trying to access the /admin page.

  • In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.

  • If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data. → I am ussing CSRF View Middlwhere so we are good there.

  • The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login."

What have I tried and what am I expecting?

I retraced my steps in Django for Beginners book to see if I mistyped something. According to the instructions "

CSRF_TRUSTED_ORIGINS

Our message board app requires that we log into the admin on the production website to create, read, update, or delete posts. We must make sure that CSRF_TRUSTED_ORIGINS101 is correctly configured since it is a list of trusted origins for unsafe HTTP requests like POST. For now, we can set it to https://*.fly.dev since that will match our eventual production URL. This approach is also slightly insecure–it would be better to enter the exact production URL address–but it is fine for now. Later on, in the book, we will lock done CSRF_TRUSTED_ORIGINS fully. At the bottom of the django_project/settings.py file add a new line for CSRF_TRUSTED_ORIGINS"

# django_project/settings.py
CSRF_TRUSTED_ORIGINS = ["https://*.fly.dev"] # new

Here is my settings.py

settings.py

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = "django-insecure-!qh!i)qrch6^r34#&qtf@-29ff+vzh7gd76d26eiifm$d1@bzc"

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = ["*"]


# Application definition

INSTALLED_APPS = [
    "django.contrib.admin",
    "django.contrib.auth",
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
    "whitenoise.runserver_nostatic", # added whitenoise
    "django.contrib.staticfiles",
    "posts", # new 
]

MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "whitenoise.middleware.WhiteNoiseMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    
] # during the HTTP Response phase middleware are called from the bottom up.

ROOT_URLCONF = "django_project.urls"

TEMPLATES = [
    {
        "BACKEND": "django.template.backends.django.DjangoTemplates",
        "DIRS": [BASE_DIR / "templates"], # new
        "APP_DIRS": True,
        "OPTIONS": {
            "context_processors": [
                "django.template.context_processors.debug",
                "django.template.context_processors.request",
                "django.contrib.auth.context_processors.auth",
                "django.contrib.messages.context_processors.messages",
            ],
        },
    },
]

WSGI_APPLICATION = "django_project.wsgi.application"


# Database
# https://docs.djangoproject.com/en/4.2/ref/settings/#databases

DATABASES = {
    "default": {
        "default": env.dj_db_url("DATABASE_URL", default="sqlite:///db.sqlite3"),
    }
}


# Password validation
# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
    },
    {
        "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
    },
    {
        "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
    },
    {
        "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator",
    },
]


# Internationalization
# https://docs.djangoproject.com/en/4.2/topics/i18n/

LANGUAGE_CODE = "en-us"

TIME_ZONE = "UTC"

USE_I18N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/4.2/howto/static-files/

STATIC_URL = "static/" # this refers to the URL location of all static files in production.
STATIC_ROOT = BASE_DIR / "staticfiles" # new 
STATICFILES_STORAGE = "whitenoise.storage.CompressedManifestStaticFilesStorage" # new

# Default primary key field type
# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field

DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

CSRF_TRUSTED_ORIGINS = ["https://*.fly.dev"] # new

After doing that I checked Django Forums for what problems other people had. One user posted this link to the documentation.

I am not certain what to do here. Can someone give me advice?

2

Is that the actual url you are using to access your site? If not, on what url does your site reside?

3

i opened my website with: https://message-board-strikeouts27.fly.dev/