本文介绍了SSL/https从标头中删除X-CSRFToken的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在安装SSL/https密钥后,将删除X-CSRFToken.我还设置了http2.在Https之前,一切正常,但是现在我得到了403,因为缺少CSRF令牌.找不到解决此特定问题的信息.感谢您的帮助.

support
  server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl on;
    server_name site.io www.site.io;

    # Use the Let's Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/site.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.io/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include /etc/nginx/snippets/ssl-params.conf;

    add_header Strict-Transport-Security max-age=500;

    access_log /home/nodejs/site.io/resuma_io_access.log;
    error_log /home/nodejs/site.io/resuma_io_error.log;
    root /home/nodejs/site.io/www/dist/client;

     location ~ ^/(api|user|auth|socket.io-client|sitemap.xml) {
          proxy_set_header   X-Real-IP            $remote_addr;
          proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
          proxy_set_header   X-Forwarded-Proto $scheme;
          proxy_set_header   Host                   $http_host;
          proxy_set_header   X-NginX-Proxy    true;
          proxy_set_header Upgrade $http_upgrade;
          proxy_ssl_session_reuse off;
          proxy_redirect off;
          proxy_set_header Connection 'upgrade';
          proxy_cache_bypass $http_upgrade;
          proxy_http_version 1.1;
          proxy_pass_header  X-CSRFToken;
          add_header X-Frame-Options SAMEORIGIN;
          sendfile  off;
          proxy_pass         http://nodejs_upstream;
        }
   }
解决方案

通读我对stackoverflow的最后一次搜索后,我发现了问题的真正原因.就我而言,这不是标题问题,而是cookie的问题! CSRFToken不在cookie中!

沃特·沃特(What Wtower)在明确说明.settings.py中的

CSRF_COOKIE_HTTPONLY = True必须被删除或设置为错误

After installing SSL/https keys X-CSRFToken is dropped. I also setup http2. Before Https everything worked correctly but now I am getting 403 because CSRF token is missing. Can't find info addressing this particular issue. Thanks for any help.

support
  server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl on;
    server_name site.io www.site.io;

    # Use the Let's Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/site.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.io/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include /etc/nginx/snippets/ssl-params.conf;

    add_header Strict-Transport-Security max-age=500;

    access_log /home/nodejs/site.io/resuma_io_access.log;
    error_log /home/nodejs/site.io/resuma_io_error.log;
    root /home/nodejs/site.io/www/dist/client;

     location ~ ^/(api|user|auth|socket.io-client|sitemap.xml) {
          proxy_set_header   X-Real-IP            $remote_addr;
          proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
          proxy_set_header   X-Forwarded-Proto $scheme;
          proxy_set_header   Host                   $http_host;
          proxy_set_header   X-NginX-Proxy    true;
          proxy_set_header Upgrade $http_upgrade;
          proxy_ssl_session_reuse off;
          proxy_redirect off;
          proxy_set_header Connection 'upgrade';
          proxy_cache_bypass $http_upgrade;
          proxy_http_version 1.1;
          proxy_pass_header  X-CSRFToken;
          add_header X-Frame-Options SAMEORIGIN;
          sendfile  off;
          proxy_pass         http://nodejs_upstream;
        }
   }
解决方案

Reading through my last search on stackoverflow I've found the real cause of the problem.In my case, it was not a header problem but a cookie one! CSRFToken was not in the cookie!

What Wtower answerd the 13/05/2015 on 403 Forbidden error when making an ajax Post request in Django framework is clearly explained.

CSRF_COOKIE_HTTPONLY = True in settings.py must be either removed or set to False!

这篇关于SSL/https从标头中删除X-CSRFToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-24 06:07