I am running Django RF backend application on Gunicorn.
When trying to fetch data from Swagger I get "TypeError: Failed to fetch"
In console this error is reported:
Mixed Content: The page at 'https://****.com/swagger/' was loaded over HTTPS, but requested an insecure resource 'http://****.com/v2/products/'. This request has been blocked; the content must be served over HTTPS.
I tried everything I found and could think of including:
Adding
secure_scheme_headers = {
'X-FORWARDED-PROTOCOL': 'ssl',
'X-FORWARDED-PROTO': 'https',
'X-FORWARDED-SSL': 'on'}
to Gunicorn
and
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
to Django settings.
But nothing helps.
Swagger for Django: drf-yasg==1.12.1
I found the solution. In Django settings add
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
# Security Headers
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 3600
Related
Been working on my live server all day and just got it working, admin was working fine, i cleared cookies and suddenly i got the following error, and no fixes seem to be helping me. My website does have SSL yet so its still http(dont know if this has anything to do with it?)
DEBUG = False
CSRF_TRUSTED_ORIGINS = ['http://.*', 'http://example.com', 'http://www.example.com']
# HTTPS Settings
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = False
SECURE_SSL_REDIRECT = False
# HSTS Settings
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
This is the only form on my website that requires csrf_token and as you can see it already has it.
SOLVED
By adding the ip from my domain to the allowed hosts and trusted origins.
Do you have CsrfViewMiddleware in your MIDDLEWARE_CLASSES setting? Are you accessing the site non-securely (seems so) then it could not work. Try to disable CSRF_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and SESSION_COOKIE_SECURE and you will see it will work.
I have a django app that is embedded in Shopify. It is working fine in all other browsers except in Safari Browser. In safari there is the above mentioned issue in the log and getting internal server error for all other functionalities of the app.This is a part of my settings.py for the CSP settings:
CSP_FRAME_ANCESTORS = ("'self'", 'https://*.myshopify.com')
# default source as self
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'", "https://fonts.gstatic.com")
# style from our domain and bootstrapcdn
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "https://fonts.googleapis.com")
# scripts from our domain and other domains
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'")
# images from our domain and other domains
CSP_IMG_SRC = ("'self'",
"https://*.s3.amazonaws.com", "data:", "https://cdn.shopify.com")
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
XS_SHARING_ALLOWED_METHODS = ['POST', 'GET', 'PUT']
CSRF_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SECURE = True
STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
CSRF_TRUSTED_ORIGINS = [config('CSRF_TRUSTED_ORIGINS')]
Can anyone tell me what's the issue here?
The implemented support for various levels and directives of CSP differers between the browsers. Safari only recently added support for worker-src, see https://caniuse.com/?search=worker-src. If you upgrade to a more recent version it will probably work for you. However, you should also consider if your user base is ready and define fallbacks for other browsers if necessary.
I am quite new in Django rest framework. I have a project which contain Django restframework API inside a Django site project(with simple frontend code) and it works fine in my local environment. However in the production domain(HTTPS) it shows as below:
Mixed Content: The page at 'https://<my production domain>/audience/labeling_jobs/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<my production domain>/audience/labeling_jobs/api/jobs/?page=2'. This request has been blocked; the content must be served over HTTPS.
I have setup the configuration about SSL/HTTPS according to Django document SSL/HTTPS beforehand but it still got this error.
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_SSL_REDIRECT = True
It seems that the Django rest cannot get the correct HTTPS, but it works fine with other django paths, they can be showed on the production page.
Is there anything I have missed?
EDIT:
Below is the code which request the django rest api:
the function is trying to shows the django labeling_jobs data via restframework API, and paging.
{% block custom_script %}
<script type="module">
const Jobs = {
data() {
return {
job_api_url: '{% url "labeling_jobs:api-job-detail" %}',
data: '',
next_page_url: null,
previous_page_url: null,
}
},
mounted() {
this.getJobs()
},
computed: {
jobs() {
return this.data.results
}
},
methods: {
async getJobs(url) {
url = url ? url : this.job_api_url
const response = await axios.get(url)
this.data = await response.data
this.next_page_url = this.data.next
this.previous_page_url = this.data.previous
},
next_page() {
console.log(this.next_page_url)
if (this.next_page_url) {
this.getJobs(this.next_page_url)
}
},
previous_page() {
console.log(this.previous_page_url)
if (this.previous_page_url) {
this.getJobs(this.previous_page_url)
}
}
}
}
const app = Vue.createApp(Jobs)
app.config.compilerOptions.delimiters = ['[[', ']]']
app.mount('#wrapper')
</script>
{% endblock %}
EDIT 2
I found the problem is something related to the paging django restframework, when I place the API url on the browser with production host view them under django rest ui, it is OK, but it fails when I try to move to next page.
I have fixed this problem,
by adding <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> in the head of base.html and adding the following config in the settings.py :
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('X-FORWARDED-PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
And it can show the contents by sending the correct HTTPS url without redirect to the wrong HTTP domain name.
But I still think it is not a best answer, I will dive into django restframework pagination maybe with relative url to try to get something more robust.
I moved applications to the production server and I have a problem with CSRF - Access denied (403)
CSRF verification failed. The request was aborted.
I checked in my browser and I don't have a cookie named
csrftoken
Part of my settings.py looks like this:
SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SAMESITE = 'Strict'
#SECURE_HSTS_SECONDS = 31536000
#SECURE_CONTENT_TYPE_NOSNIFF = True
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
#SESSION_COOKIE_SAMESITE = None
#SECURE_HSTS_PRELOAD = True
I haven't turned on HTTPS yet
Everything worked fine on the development server.
Where to find the cause and what to improve?
problem solved.
You just had to generate an SSL certificate and enable HTTPS.
This post showed me the solution Django: Forbidden (CSRF cookie not set.)
What solved it for me was to add the following to settings.py, replacing "<my_domain>" part of course.
CSRF_TRUSTED_ORIGINS = ['https://<my_domain>.com']
This code above works like magic
I'm trying to configure my site to pass the tests at:
https://observatory.mozilla.org
https://csp-evaluator.withgoogle.com/
I've been looking at this blog post. I'm using the Django app called django-csp to implement this. My Django settings in production are as follows:
# Content Security Policy
CSP_DEFAULT_SRC = ("'none'", )
CSP_STYLE_SRC = ("'self'", "fonts.googleapis.com", "'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI='")
CSP_SCRIPT_SRC = ("'self'", )
CSP_IMG_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", "fonts.gstatic.com")
CSP_CONNECT_SRC = ("'self'", )
CSP_OBJECT_SRC = ("'none'", )
CSP_BASE_URI = ("'none'", )
CSP_FRAME_ANCESTORS = ("'self'", 'https://example.com/', 'https://example.com/')
CSP_FORM_ACTION = ("'self'", )
CSP_INCLUDE_NONCE_IN = ('script-src',)
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 60
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Yet, when I run the aforementioned tests I fail even though I have the above setup. Moreover, in Chrome dev tools I receive no errors, which is great.
Anyone have advice on this please?
Thanks
Update:
I'm deploying the app via Heroku. When I test the appname.herokuapp.com url with Mozilla Observatory, I pass all the tests.
It seems that when I forward the domain appname.herokuapp.com to mywebsite.com, some settings are skipped? I failed the tests with mywebsite.com
I have added the CNAME www to be the value of the custom Heroku DNS.
Indeed, my issue was in the way I had configured my DNS settings. I kept my Django prodution settings as is (see above).
I added a custom domain in my Heroku settings and used the auto-generated server name in my CNAME settings in Cloudflare.
Then I ran a check in Mozilla Observatory and passed the tests.