from django.conf import settings from django.http import HttpResponseForbidden from django.template import Context, Engine, TemplateDoesNotExist, loader from django.utils.translation import gettext as _ from django.utils.version import get_docs_version # We include the template inline since we need to be able to reliably display # this error message, especially for the sake of developers, and there isn't any # other way of making it available independent of what is in the settings file. # Only the text appearing with DEBUG=False is translated. Normal translation # tags cannot be used with this inline templates as makemessages would not be # able to discover the strings. CSRF_FAILURE_TEMPLATE = """ 403 Forbidden

{{ title }} (403)

{{ main }}

{% if no_referer %}

{{ no_referer1 }}

{{ no_referer2 }}

{{ no_referer3 }}

{% endif %} {% if no_cookie %}

{{ no_cookie1 }}

{{ no_cookie2 }}

{% endif %}
{% if DEBUG %}

Help

{% if reason %}

Reason given for failure:

    {{ reason }}
    
{% endif %}

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

{% else %}

{{ more }}

{% endif %} """ CSRF_FAILURE_TEMPLATE_NAME = "403_csrf.html" def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME): """ Default view used when request fails CSRF protection """ from django.middleware.csrf import REASON_NO_CSRF_COOKIE, REASON_NO_REFERER c = { 'title': _("Forbidden"), 'main': _("CSRF verification failed. Request aborted."), 'reason': reason, 'no_referer': reason == REASON_NO_REFERER, 'no_referer1': _( 'You are seeing this message because this HTTPS site requires a ' '“Referer header” to be sent by your Web browser, but none was ' 'sent. This header is required for security reasons, to ensure ' 'that your browser is not being hijacked by third parties.'), 'no_referer2': _( 'If you have configured your browser to disable “Referer” headers, ' 'please re-enable them, at least for this site, or for HTTPS ' 'connections, or for “same-origin” requests.'), 'no_referer3': _( 'If you are using the tag or including the “Referrer-Policy: ' 'no-referrer” header, please remove them. The CSRF protection ' 'requires the “Referer” header to do strict referer checking. If ' 'you’re concerned about privacy, use alternatives like ' ' for links to third-party sites.'), 'no_cookie': reason == REASON_NO_CSRF_COOKIE, 'no_cookie1': _( "You are seeing this message because this site requires a CSRF " "cookie when submitting forms. This cookie is required for " "security reasons, to ensure that your browser is not being " "hijacked by third parties."), 'no_cookie2': _( 'If you have configured your browser to disable cookies, please ' 're-enable them, at least for this site, or for “same-origin” ' 'requests.'), 'DEBUG': settings.DEBUG, 'docs_version': get_docs_version(), 'more': _("More information is available with DEBUG=True."), } try: t = loader.get_template(template_name) except TemplateDoesNotExist: if template_name == CSRF_FAILURE_TEMPLATE_NAME: # If the default template doesn't exist, use the string template. t = Engine().from_string(CSRF_FAILURE_TEMPLATE) c = Context(c) else: # Raise if a developer-specified template doesn't exist. raise return HttpResponseForbidden(t.render(c), content_type='text/html')