Forbidden csrf token missing

this is my

@api_view(['GET', 'POST'])
def create_mobile_view(request):
    if request.method == 'GET':
        data = Mobile.objects.all()
        serializer = MobileSerializer(data, context={'request': request}, many=True)
        return Response(
    elif request.method == 'POST':
        serializer = CreateMobileSerializer(
        if serializer.is_valid():
            return Response(status=status.HTTP_201_CREATED)

    return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

this is my function based React Component:

const [formData, setformData] = React.useState({
        modelName: '',
        company: '',
        phoneImg1: '',
        phoneImg2: '',
        phoneImg3: '',
        storage: 0,
        batteryCapacity: 0,
        camera: '',
        avilableNumbers: 0,
        price: 0,
        discountPercentage: 0,

    const requestOptions = {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
            'X_CSRFTOKEN': Cookies.get('csrftoken')
        body: JSON.stringify(formData),

    function handleChange(event) {
        const { name, value } =
        setformData(prevInfo => ({
            [name]: value

    function submitForm() {

        fetch('/mobile/create/', requestOptions).then(res => console.log(res))


What have you done so far to identify the source of the issue here?

Since you mention you’re using React here, are you loading the page containing the React components from your Django site? Or is it being loaded elsewhere? (If you’re loading it from a different site, then there possibly are the CORS-related issues needing to be addressed.)

Have you read the docs on How to use Django’s CSRF protection and the docs for the CSRF_ - related settings?

Have you looked at what you’re submitting in the POST request to verify that you are sending the token?

(I will point out that in your headers, you have X_CSRFTOKEN as the header name in your JavaScript instead of X-CSRFToken as defined in the docs. See the note in the HttpRequest.META section of the docs for why that’s important.)

It’s from my Django site.
And yes I’ve read the docs but the problem didn’t solve.
I changed the X_CSRFTOKEN to X_CSRFToken but nothing new happened.

Please post all of your CSRF_ settings from your settings file.


That is not what I suggested you change the headers entry to.

What I wrote:


CSRF_COOKIE_NAME = "csrftoken"

and i changed X_CSRFToken in js file and nothing happend.