By : Javed Khan

While testing out a API from another django site, I came across a seemingly common error.

403 Forbidden

CSRF verification failed. Request aborted.

Help

Reason given for failure:

    No CSRF or session cookie.

Posting the data to the api endpoint returned 403 Forbidden with the standard csrf failure error page. I cross checked that the view was csrf_exempted and that CsrfViewMiddleware was not enabled. The view had some other unrelated decorators which I guessed could be the cause of the problem. According to this bug, not all decorators play nice with the csrf_exempt decorator. Even with that fixed, there was no luck.

Well, turns out that I was posting the data to a non-existent URL (/facepalm) and django was catching the csrf part earlier than the not found part. For more discussion about this topic look at HTTP POST sent from app to Django Server returns 403 Forbidden

Lessons of the day:

• POST'ing to a non-existent url results in csrf failure error.
• debug messages can be deceptive.

Can we help you build amazing apps? Contact us today.