Hi John, Even though I'm two years late, in case someone runs into this problem I managed to solve it by:
Whitelisting the 'x-csrfmiddlewaretoken' header (i.e. gets properly forwarded to origin) in the distribution settings. Whitelisting the 'csrftoken' cookie in the distribution behaviour. Best, Joao quinta-feira, 26 de Junho de 2014 às 18:26:18 UTC-3, John Briere escreveu: > > I'm sure there's simple solution for this but I haven't found it. AWS > Cloudfront strips out the referer header: > > http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomRemovedHeaders > > Django requires a referer to exist and to match the current site as part > of CSRF protection: > https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works > > Immediate issue is that /admin doesn't work at all, but even if I exclude > /admin from being behind Cloudfront, what about other forms that users will > interact with? > > thanks- John > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/3c5bdbf1-d286-4760-82e8-461e4b8c4e9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
