using AWS cloudfront with Django - CSRF failures

1,294 views

Skip to first unread message

John Briere

unread,

Jun 26, 2014, 5:26:18 PM6/26/14

to django...@googlegroups.com

I'm sure there's simple solution for this but I haven't found it. AWS Cloudfront strips out the referer header:

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomRemovedHeaders

Django requires a referer to exist and to match the current site as part of CSRF protection:

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works

Immediate issue is that /admin doesn't work at all, but even if I exclude /admin from being behind Cloudfront, what about other forms that users will interact with?

thanks- John

João Figueiredo

unread,

Apr 28, 2016, 6:50:08 AM4/28/16

to Django users

Hi John,

Even though I'm two years late, in case someone runs into this problem I managed to solve it by:

Whitelisting the 'x-csrfmiddlewaretoken' header (i.e. gets properly forwarded to origin) in the distribution settings.

Whitelisting the 'csrftoken' cookie in the distribution behaviour.

Best,

Joao

Reply all

Reply to author

Forward

0 new messages