2

I need for my Django app to be able to receive unsolicited POST requests, without the CSRF token. This question has been asked before here, but the answer given, implementing a class based view with functions get and post has not helped me.

This is my view class:

class WebHooks(TemplateView):

    def get(self, request):
        return HttpResponse("get")

    def post(self, request):
        return HttpResponse("post")

I also added the directive

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

to my httpd.conf for Apache and set the CSRF_USE_SESSION constant in Django's settings.py to False.

Testing this with Postman keeps returning "get". The server access log reads POST /url HTTP/1.1" 403 3366.

How do I enable POST requests?

EDIT:

I did some local testing on the server and found that it must be Apache that's screwing me here. Sending a post request to Django's delevopment server returned "post" while returning "get" on the Apache server.

EDIT2:

It seems Apache redirects all traffic by default. To enable it to forward POST requests to the django app I need the mod_proxy and mod_rewrite modules according to this question. I loaded the modules and edited my VirtualHost to look like this:

<VirtualHost *:443>
    RewriteEngine On
    RewriteRule /proxy/(.*)$ https://www.my.domain/$1 [P,L]
    ServerName my.domain
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile "path/to/cert"
    SSLCertificateKeyFile "path/to/key"
</VirtualHost>

I am still unsure in which Directory directive to place the lines

    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted

POST requests still get turned into GET requests...

EDIT3:

After writing EDIT2 I reread my question and noticed that my problem went from django refusing a POST request to Apache turning POST requests to GET requests. I don't know why. This is highly confusing to me.

Improve this question
3
  • Use @csrf_exempt decorator. docs.djangoproject.com/en/3.1/ref/csrf/… Commented Aug 31, 2020 at 13:44
  • Sadly this works neither in class based, nor in function based view for me Commented Aug 31, 2020 at 14:47
  • 1
    For class based it is like this @method_decorator(csrf_exempt, name='dispatch'). But if it doesn't work in function based view maybe that's not the issue. Commented Aug 31, 2020 at 14:52

2 Answers 2

Reset to default
-1

Comment out django.middleware.csrf.CsrfViewMiddleware in the MIDDLEWARE entry in settings.py of your django project.

I tried curl -X POST localhost:8000/ after adding a trivial post to a class-based view. It returned the famous 403 CSRF verification failed.

After commenting out the above middleware the post method was invoked.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-3

Had a simlar problem the easiest fix is to disable the firewall to get the the GET and POST working

Improve this answer

2 Comments

I think that proposing anyone to disable firewall is the worst idea possible as it will affect security of whole app instead of permitting posting into one view. Also the question doesn't say anything about firewall, waf or used OS.
Firewall is not related to CSRF token. CSRF token is just a cookie.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.