Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable Django's CSRF protection behind a proxy

Tags:

python

proxy

django

django-authentication

django-admin

I need to run a Django system (let's call it Alfred) behind a Proxy. Both are on the same network. As Proxy I use yuri vandermeer's django-httpproxy. (see his page yvandermeer.net)

Both Systems running Django version 1.2.4

Both systems are in the same (closed) network and also on the same IP. I have the proxy running on port 8000 and Alfred on port 1337. I need to log on to Alfred using his /admin site, that comes by default with Django (and which i have enabled). This is working via port 1337, but I need to access it via port 8000.

When I try it, Alfred is throwing an 403 CSRF Error and telling me that i'm acutally something like a man-in-the-middle (- and Alfred is completely right when its saying so).

I tried several things to disable Alfreds CSRF protection:

  1. I commented out the CsrfViewMiddleware in the settings.py in MIDDLEWARE_CLASSES

  2. I created a disable.py and added its disableCSRF class to the MIDDLEWARE CLASSES (actually I tried each[!] position) like mentioned on this site (questions/1785772 )

    #disable.py
class DisableCSRF(object):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)

  3. I created a disable.py and added its disableCSRF class to the MIDDLEWARE CLASSES (again I tried each position) like mentioned in this other post here: http://hi.baidu.com/ledzep2/blog/item/e6b1612e21884c5c4ec2267a.html

    #disable.py
class DisableCSRF(object):
    def process_view(self, request, callback, callback_args, callback_kwargs):
        setattr(request, '_dont_enforce_csrf_checks', True)

  4. I tried to comment out the Csfr protection mechanism in django/middleware/csrf.py but i found the relevant part around line 190 not around line 160 like mentioned on this site: questions/1650941/

None of the things mentioned worked. I always get a 403 Error when I try to log on via /admin

How can i disable the CSRF protection on Alfred? Is it possible to just disable it for /admin ? I'd prefer if I could do this by a middleware like mentioned in 2. and 3. and not by commenting something out in the source like in 4. If there is a middleware-way that would be great.

thanks in advance! :)

like image 410
gessulat Avatar asked Jan 24 '26 06:01

gessulat

1 Answers

You can use the @csrf_exempt decorator on the view functions to disable csrf for that view.
See the documentation

like image 180
RickyA Avatar answered Jan 25 '26 20:01

RickyA
Sign in to Comment

Related questions

Add new line to head of log file using Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!