from django.conf import settings from django.http import HttpResponseForbidden from django.template import Context, Template from django.utils.translation import ugettext as _ # We include the template inline since we need to be able to reliably display # this error message, especially for the sake of developers, and there isn't any # other way of making it available independent of what is in the settings file. # Only the text appearing with DEBUG=False is translated. Normal translation # tags cannot be used with this inline templates as makemessages would not be # able to discover the strings. CSRF_FAILURE_TEMPLATE = """ 403 Forbidden

{{ title }} (403)

{{ main }}

{% if no_referer %}

{{ no_referer1 }}

{{ no_referer2 }}

{% endif %} {% if no_cookie %}

{{ no_cookie1 }}

{{ no_cookie2 }}

{% endif %}
{% if DEBUG %}

Help

{% if reason %}

Reason given for failure:

    {{ reason }}
    
{% endif %}

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

{% else %}

{{ more }}

{% endif %} """ def csrf_failure(request, reason=""): """ Default view used when request fails CSRF protection """ from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE t = Template(CSRF_FAILURE_TEMPLATE) c = Context({ 'title': _("Forbidden"), 'main': _("CSRF verification failed. Request aborted."), 'reason': reason, 'no_referer': reason == REASON_NO_REFERER, 'no_referer1': _( "You are seeing this message because this HTTPS site requires a " "'Referer header' to be sent by your Web browser, but none was " "sent. This header is required for security reasons, to ensure " "that your browser is not being hijacked by third parties."), 'no_referer2': _( "If you have configured your browser to disable 'Referer' headers, " "please re-enable them, at least for this site, or for HTTPS " "connections, or for 'same-origin' requests."), 'no_cookie': reason == REASON_NO_CSRF_COOKIE, 'no_cookie1': _( "You are seeing this message because this site requires a CSRF " "cookie when submitting forms. This cookie is required for " "security reasons, to ensure that your browser is not being " "hijacked by third parties."), 'no_cookie2': _( "If you have configured your browser to disable cookies, please " "re-enable them, at least for this site, or for 'same-origin' " "requests."), 'DEBUG': settings.DEBUG, 'more': _("More information is available with DEBUG=True."), }) return HttpResponseForbidden(t.render(c), content_type='text/html')