Forbidden csrf token missing

ParhamMz · May 10, 2023, 7:07am

this is my view.py:

@csrf_exempt
@api_view(['GET', 'POST'])
def create_mobile_view(request):
    if request.method == 'GET':
        data = Mobile.objects.all()
        serializer = MobileSerializer(data, context={'request': request}, many=True)
        return Response(serializer.data)
    elif request.method == 'POST':
        serializer = CreateMobileSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(status=status.HTTP_201_CREATED)

    return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

this is my function based React Component:

const [formData, setformData] = React.useState({
        modelName: '',
        company: '',
        phoneImg1: '',
        phoneImg2: '',
        phoneImg3: '',
        storage: 0,
        batteryCapacity: 0,
        camera: '',
        avilableNumbers: 0,
        price: 0,
        discountPercentage: 0,
    })

    const requestOptions = {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'X_CSRFTOKEN': Cookies.get('csrftoken')
        },
        body: JSON.stringify(formData),
    };

    function handleChange(event) {
        const { name, value } = event.target
        setformData(prevInfo => ({
            ...prevInfo,
            [name]: value
        }))
    };
    

    function submitForm() {

        console.log(formData)
        fetch('/mobile/create/', requestOptions).then(res => console.log(res))

    };

KenWhitesell · May 10, 2023, 11:15am

What have you done so far to identify the source of the issue here?

Since you mention you’re using React here, are you loading the page containing the React components from your Django site? Or is it being loaded elsewhere? (If you’re loading it from a different site, then there possibly are the CORS-related issues needing to be addressed.)

Have you read the docs on How to use Django’s CSRF protection and the docs for the CSRF_ - related settings?

Have you looked at what you’re submitting in the POST request to verify that you are sending the token?

(I will point out that in your headers, you have X_CSRFTOKEN as the header name in your JavaScript instead of X-CSRFToken as defined in the docs. See the note in the HttpRequest.META section of the docs for why that’s important.)

ParhamMz · May 10, 2023, 11:26am

It’s from my Django site.
And yes I’ve read the docs but the problem didn’t solve.
I changed the X_CSRFTOKEN to X_CSRFToken but nothing new happened.

KenWhitesell · May 10, 2023, 11:54am

Please post all of your CSRF_ settings from your settings file.

Also:

That is not what I suggested you change the headers entry to.

What I wrote:

ParhamMz · May 17, 2023, 3:52pm

my CSRF settings.py:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'corsheaders.middleware.CorsMiddleware',
]
...
CSRF_COOKIE_NAME = "csrftoken"
CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"

and i changed X_CSRFToken in js file and nothing happend.

Topic		Replies	Views
Cross-Origin request failed from React Forms & APIs	0	68	April 4, 2024
Forbidden (CSRF token missing or incorrect.) Using Django	5	22631	June 26, 2021
CSRF token missing react axios and django Mystery Errors	9	9998	April 29, 2023
403 forbidden Forms & APIs	5	1530	April 16, 2023
CSRF token validation for CORS Forms & APIs	4	2776	September 6, 2023

Forbidden csrf token missing

Related Topics