问题
After installing SSL/https keys X-CSRFToken is dropped. I also setup http2. Before Https everything worked correctly but now I am getting 403 because CSRF token is missing. Can't find info addressing this particular issue. Thanks for any help.
support
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
server_name site.io www.site.io;
# Use the Let's Encrypt certificates
ssl_certificate /etc/letsencrypt/live/site.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.io/privkey.pem;
# Include the SSL configuration from cipherli.st
include /etc/nginx/snippets/ssl-params.conf;
add_header Strict-Transport-Security max-age=500;
access_log /home/nodejs/site.io/resuma_io_access.log;
error_log /home/nodejs/site.io/resuma_io_error.log;
root /home/nodejs/site.io/www/dist/client;
location ~ ^/(api|user|auth|socket.io-client|sitemap.xml) {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_ssl_session_reuse off;
proxy_redirect off;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_http_version 1.1;
proxy_pass_header X-CSRFToken;
add_header X-Frame-Options SAMEORIGIN;
sendfile off;
proxy_pass http://nodejs_upstream;
}
}
回答1:
I have the same issue with Django running on Nginx SSL/https.
As mentioned by Bryan on Django CSRF check failing with an Ajax POST request. One other way to pass the csrftoken is to pass it through the parameters:
$.ajax({
data: {
somedata: 'somedata',
moredata: 'moredata',
csrfmiddlewaretoken: mytoken
},
Where csrfmiddlewaretoken stands for the variable name used by your api to store the csrftoken (csrfmiddlewaretoken in django):
And mytoken is a variable initialized
DOM: either using the token named variable of your api. In django, just add {% csrf_token %} in your html file. This will feed the csrfmiddlewaretoken variable, which will be accessible in jQuery
mytoken = jQuery("[name=csrfmiddlewaretoken]").val();COOKIE: either by using a jQuery function which get the token from the cookie.
mytoken = getCookie('csrftoken');
getCookie() function is mentioned in django doc in order to deal with CSRF POST with AJAX.
Of course, this does'nt solve the header issue with SSL but allow POST, PUT and DELETE request. It also require to pass through each $.ajax call to add the csrfmiddlewaretoken variable
回答2:
Reading through my last search on stackoverflow I've found the real cause of the problem. In my case, it was not a header problem but a cookie one! CSRFToken was not in the cookie!
What Wtower answerd the 13/05/2015 on 403 Forbidden error when making an ajax Post request in Django framework is clearly explained.
CSRF_COOKIE_HTTPONLY = True in settings.py must be either removed or set to False!
If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie!
来源:https://stackoverflow.com/questions/42536254/ssl-https-removes-x-csrftoken-from-headers