from django.conf import settings
from django.http import HttpResponseForbidden
from django.template import Context, Engine, TemplateDoesNotExist, loader
from django.utils.translation import gettext as _
from django.utils.version import get_docs_version
# We include the template inline since we need to be able to reliably display
# this error message, especially for the sake of developers, and there isn't any
# other way of making it available independent of what is in the settings file.
# Only the text appearing with DEBUG=False is translated. Normal translation
# tags cannot be used with this inline templates as makemessages would not be
# able to discover the strings.
CSRF_FAILURE_TEMPLATE = """
403 Forbidden
{{ title }} (403)
{{ main }}
{% if no_referer %}
{{ no_referer1 }}
{{ no_referer2 }}
{% endif %}
{% if no_cookie %}
{{ no_cookie1 }}
{{ no_cookie2 }}
{% endif %}
{% if DEBUG %}
Help
{% if reason %}
Reason given for failure:
{{ reason }}
{% endif %}
In general, this can occur when there is a genuine Cross Site Request Forgery, or when
Django's
CSRF mechanism has not been used correctly. For POST forms, you need to
ensure:
- Your browser is accepting cookies.
- The view function passes a
request
to the template's render
method.
- In the template, there is a
{% templatetag openblock %} csrf_token
{% templatetag closeblock %}
template tag inside each POST form that
targets an internal URL.
- If you are not using
CsrfViewMiddleware
, then you must use
csrf_protect
on any views that use the csrf_token
template tag, as well as those that accept the POST data.
- The form has a valid CSRF token. After logging in in another browser
tab or hitting the back button after a login, you may need to reload the
page with the form, because the token is rotated after a login.
You're seeing the help section of this page because you have DEBUG =
True
in your Django settings file. Change that to False
,
and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.
{% else %}
{% endif %}
"""
CSRF_FAILURE_TEMPLATE_NAME = "403_csrf.html"
def csrf_failure(request, reason="", template_name=CSRF_FAILURE_TEMPLATE_NAME):
"""
Default view used when request fails CSRF protection
"""
from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE
c = {
'title': _("Forbidden"),
'main': _("CSRF verification failed. Request aborted."),
'reason': reason,
'no_referer': reason == REASON_NO_REFERER,
'no_referer1': _(
"You are seeing this message because this HTTPS site requires a "
"'Referer header' to be sent by your Web browser, but none was "
"sent. This header is required for security reasons, to ensure "
"that your browser is not being hijacked by third parties."),
'no_referer2': _(
"If you have configured your browser to disable 'Referer' headers, "
"please re-enable them, at least for this site, or for HTTPS "
"connections, or for 'same-origin' requests."),
'no_cookie': reason == REASON_NO_CSRF_COOKIE,
'no_cookie1': _(
"You are seeing this message because this site requires a CSRF "
"cookie when submitting forms. This cookie is required for "
"security reasons, to ensure that your browser is not being "
"hijacked by third parties."),
'no_cookie2': _(
"If you have configured your browser to disable cookies, please "
"re-enable them, at least for this site, or for 'same-origin' "
"requests."),
'DEBUG': settings.DEBUG,
'docs_version': get_docs_version(),
'more': _("More information is available with DEBUG=True."),
}
try:
t = loader.get_template(template_name)
except TemplateDoesNotExist:
if template_name == CSRF_FAILURE_TEMPLATE_NAME:
# If the default template doesn't exist, use the string template.
t = Engine().from_string(CSRF_FAILURE_TEMPLATE)
c = Context(c)
else:
# Raise if a developer-specified template doesn't exist.
raise
return HttpResponseForbidden(t.render(c), content_type='text/html')