Tutorial 2 Error: Forbidden - CSRF verification failed

Hi All, I’m working through Tutorial 2 and have gotten as far as logging into the admin page as the newly created superuser. However, I get the 403 error below when I enter the login details:

The steps I have taken are:

  1. All tutorial instructions (1 & 2) followed to this point
  2. Project creates, server started, django pages rendered, migrations applied
  3. Superuser created, Superuser credentials entered to admin login page on development server
  4. 403 error received when credentials entered to server

Steps taken to resolve the issue are:

  1. Checked CSRF token is present in dev tools - it is contained in a hidden field in the login form
  2. Attempted hard refresh of web page (Ctrl + Shift + R) and cleared cookies
  3. Tried to disable CSRF line in MIDDLEWARE section of settings.py
  4. From CSRF_TRUSTED_ORIGINS overview I have tried to add CSRF_TRUSTED_ORIGINS = [https://8000-dkelly255-djangotutorial-quxbwl9i55a.ws-eu31.gitpod.io/] as a variable in settings.py - however this doesn’t allow the Django admin page to load at all

I’ve read through the CSRF_TRUSTED_ORIGINS overview but am not actually sure how to proceed and resolve the error so I can keep going with the rest of the tutorial

Thanks in advance for any clarification or guidance you can provide

Couple items -

  • Each entry in CSRF_TRUSTED_ORIGINS is a string - there should be quotes around that url.

  • CSRF_TRUSTED_ORIGINS also accepts wildcard domains - not knowing how that address is generated, you may be better off specifying ‘https://*.gitpod.io’. (See the docs at Settings | Django documentation | Django)

  • Not knowing how your browser is passing that header to the site, you may also need to add ‘https://localhost’ and ‘’ to the list in that setting.

Side note: If you’re going to be developing in a non-local environment, you’re probably going to want to learn more about DNS name and host resolution, along with the http headers that are passed from the browser to the host. You are going to encounter more of these situations where tutorials, books, blogs, etc are making reference to localhost, when that may not be the reverse-resolved name as seen by the host.

1 Like

Ken thank you so much :smile:

I changed the contents of the CSRF_TRUSTED_ORIGINS to be a string, and also to use the wildcard notation as you suggested & now it works - fantastic, thanks again