HTTP Status Code: 403 Response:
Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.
Help
Reason given for failure:
CSRF cookie not set.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.
你当前在访问一个 需要 CSRF 令牌保护的 POST 接口(如 Django 默认的视图函数),但请求中没有附带 CSRF token,因此被服务器拦截。
这是 Django 的跨站请求伪造(CSRF)防护机制在起作用,防止第三方伪造用户请求。
解决方法
方法一:为 POST 请求添加 CSRF Token(推荐用于前端页面)
<form method=”post”>
{% csrf_token %}
…
</form>
方法二:后端视图禁用 CSRF 校验(只适用于 API 或内部调用)
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def llm_start(request):
…
在 Django 中,你可以使用
@csrf_exempt装饰器来禁用 CSRF 校验
方法三:使用 Django REST framework(如果你是构建 API)
如果你使用 Django REST framework(DRF)来构建 API,可以在 settings.py 中配置,指定不进行 CSRF 验证,或者仅在某些视图上禁用 CSRF。
禁用 CSRF 验证:
在 settings.py 中配置 DRF,指定不进行 CSRF 验证:
REST_FRAMEWORK = {
‘DEFAULT_AUTHENTICATION_CLASSES’: (
‘rest_framework.authentication.SessionAuthentication’,
‘rest_framework.authentication.BasicAuthentication’,
),
‘DEFAULT_PERMISSION_CLASSES’: (
‘rest_framework.permissions.IsAuthenticated’,
),
‘DEFAULT_RENDERER_CLASSES’: (
‘rest_framework.renderers.JSONRenderer’,
),
‘DEFAULT_PARSER_CLASSES’: (
‘rest_framework.parsers.JSONParser’,
),
}
# 禁用 CSRF 验证
CSRF_COOKIE_HTTPONLY = True
或者,也可以通过 @csrf_exempt 来禁用单个 API 视图的 CSRF 校验。