search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.68k stars 1.55k forks source link

Forbidden (403) CSRF verification failed. Request aborted. #8432

Open ankur-aggarwal0403 opened 1 year ago

ankur-aggarwal0403 commented 1 year ago

Docker version: 24.0.5 Docker-compose version: 1.29.2

Running Docker on Red Hat Enterprise Linux release 8.8 (Ootpa)

Modifications: django-DefectDojo/docker-compose.yml --> Changed port from 8443 to 8444 for nginx Using nginx as reverse proxy which listens on port 8443(outside) and points to defectdojo running on port 8080.

Observations: After clicking on the url with port 8443. It opens up the login page. After providing the credentails it response back with the error message: "Forbidden (403) CSRF verification failed. Request aborted."

image

Philaaadata commented 1 year ago

Hi,

I have this error with RHEL 7.

I changed the port 8080 to 8980, it works in http with the server name but not behind an apache reverse proxy in https.

My setup :

LAN <-> server RHEL 7 with Apache reverse proxy defectdojo.mydomain.tld in https <-> server rhel 7 with docker

I tested "export DD CSRF_TRUSTED_ORIGINS" without much result

Do you have any suggestion ?

Thanks in advance,

Regard

0xbrigles commented 1 year ago

Hi I ran into the same problem.

In my case DefectDojo is running on default port 8080 behind a external Nginx TLS reverse proxy on another server.

I had to change the file ./dojo/settings/settings.dist.py to add my URL and the proxy server IP to the variable DD_CSRF_TRUSTED_ORIGINS:

    ....
    DD_CSRF_TRUSTED_ORIGINS=(list, ['https://djo.example.org', '10.10.0.125']),
    ....

After changing the file a new build needs be to created by using: ./dc-build.sh and then start your deployment again, eg: ./dc-up-d.sh postgres-redis

Now I am able to login without these CSRF errors.

ngocnn97 commented 10 months ago

I have the same problem but deploying using helm, can someone help me fix it?

dsever commented 10 months ago

You can specify DD_CSRF_TRUSTED_ORIGINS in helm as well using extra configs https://github.com/DefectDojo/django-DefectDojo/blob/master/helm/defectdojo/values.yaml#L541

hackerph12 commented 4 months ago

Hi @Philaaadata did you got any workaround ? Seems I am facing the same issue

nicolas-amegacorp commented 15 hours ago

Same issue here DD_CSRF_TRUSTED_ORIGINS in local_settings.pydoes not help