Question

CSRF Verification Fails on Django App Platform - Admin login

I have an app platform app running Django.

When I try to log into the django admin panel I get the following error:

# Forbidden (403)

CSRF verification failed. Request aborted.

## Help

Reason given for failure:

    Origin checking failed - https://xxxxxxxxxxxx.ondigitalocean.app does not match any trusted origins.

I have run a few different app platform apps before using the DO Django tutorial (https://docs.digitalocean.com/tutorials/app-deploy-django-app/) and have not encountered this. The only things I’ve changed this time are:

  • I’m using docker because I have a GDAL dependency for this app
  • The DATABASES section in my settings.py is currently hard-coded to point at a DO managed DB running postgres + postgis

I don’t really know where to start with tracking this down, is it a problem with my settings.py config? Is it a problem with the DB?

Any advice is appreciated.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
June 27, 2023
Accepted Answer

Hi there,

Indeed as you mentioned, this is usually related to the ALLOWED_HOSTS not being set correctly in your settings.py file.

Here’s what you could try out you can debug this:

  1. Check your ALLOWED_HOSTS setting: The ALLOWED_HOSTS setting in your Django settings.py file should include the hostname that you’re seeing in the error message. In this case, you should have something like:

    ALLOWED_HOSTS = ['your_app.ondigitalocean.app']
    

    Or, if you want to allow all subdomains as well:

    ALLOWED_HOSTS = ['.ondigitalocean.app']
    

    The ALLOWED_HOSTS setting is a list of strings representing the host/domain names that this Django site can serve. If DEBUG is set to False and you’re getting this error, it’s probably because the hostname isn’t listed in ALLOWED_HOSTS.

  2. Check your CSRF_TRUSTED_ORIGINS setting: If your Django project is served via multiple domain names and you’re using HTTPS, you should also check the CSRF_TRUSTED_ORIGINS setting. This setting is a list of hosts which are trusted origins for ‘safe’ HTTP methods. Hosts in this list can send cross-subdomain requests to other hosts also in this list, over HTTPS.

CSRF_TRUSTED_ORIGINS = ['your_app.ondigitalocean.app']

Or if you want to allow all subdomains:

CSRF_TRUSTED_ORIGINS = ['.ondigitalocean.app']

Let me know how it goes!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more