#28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG is False -------------------------------------+------------------------------------- Reporter: Ruben | Owner: nobody Alves | Type: Bug | Status: new Component: CSRF | Version: 1.11 Severity: Release | Keywords: csrf failed blocker | settings debug false production Triage Stage: | Has patch: 0 Unreviewed | Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -------------------------------------+------------------------------------- Hi all,
I'm using Django1.11 (and made tests also with Django1.11.4) and having problems when submitting a form with POST method. I'm calling the `{% csrf_token %}` inside of the form, so, this is not the problem. The problem when submitting the form is: Forbidden (403) CSRF verification failed. Request aborted. More information is available with DEBUG=True. Then, in order to see "more information", I've enabled `settings.DEBUG` to `True` and submitted the form again. At this moment, the problem didn't happens anymore. So I've disabled `settings.DEBUG`, submitted again, and the problem was there. Enabled `DEBUG=True` again, problem has gone. Initially I thought that could be some error in my code, but the same happens when I try to reset my password wit the `django.contrib.auth.views.password_reset` view. In my `settings.py`, I have the following changes that were made recently: `SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')` `SESSION_COOKIE_SECURE = True` `CSRF_COOKIE_SECURE = True` I use AWS (Amazon Web Service) Elastic Beanstalk with https enabled. The worst part is that I've discovered this only on production because I make all tests in my local machine with `DEBUG=True`, and on production, we set `DEBUG=False`. It's something related to the same error mentioned on Google Groups [https://groups.google.com/forum/#!searchin/django- users/CSRF$20verification$20failed.$20Request$20aborted.$20More$20information$20is$20available$20with$20DEBUG$3DTrue.%7Csort:relevance /django-users/ISoJ6CwHOXQ/pirLih0jBgAJ] -- Ticket URL: <https://code.djangoproject.com/ticket/28488> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/053.ee4697519e2c3408ea92ca856a4d5b98%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.