What does error mean? : "Forbidden (Referer checking failed - no Referer.):"

Question

I have a website running, which appears to be working fine. Yet, now I've seen this error in the logs for the fist time.

Forbidden (Referer checking failed - no Referer.): /pointlocations/
[pid: 4143|app: 0|req: 148/295] 104.176.70.209 () {48 vars in 1043 bytes} [Wed Jul 26 19:49:35 2017] POST /pointlocations/?participant=A2TYLR23CHRULH&assignmentId=3P4MQ7TPPYF65ANAUBF8A3B38A0BB6 => generated 2737 bytes in 2 msecs (HTTP/1.1 403) 1 headers in 51 bytes (1 switches on core 0)

It happens when posting to /pointlocations/, but only for one specific person ( each participant is unique per account, so I know it's only one person, having this problem repeatedly. Over 500+ other participant have had no such problem/error.

What does this error mean, what is likely causing it and can I fix this?

Answer 1

Upgrading Django might fix the missing Referer error (as it's sent voluntarily by the client depending on Referrer-Policy).

As of Django 4.0 (release notes), the backend will first check the Origin header before falling back to the Referer header (source):

4. CsrfViewMiddleware verifies the Origin header, if provided by the browser, against the current host and the CSRF_TRUSTED_ORIGINS setting. This provides protection against cross-subdomain attacks.
5. In addition, for HTTPS requests, if the Origin header isn’t provided, CsrfViewMiddleware performs strict referer checking. This means that even if a subdomain can set or modify cookies on your domain, it can’t force a user to post to your application since that request won’t come from your own exact domain.