I have used django-cors-headers
for CORS
but unable to get CORS
to work in a right way.
Like from client end I can run code from any host that are not in ALLOWED HOSTS but the request still completes without any CORS
error.
Can anyone tell me , how can I only allow whitelisted hosts?
My settings.py
from pathlib import Path
import os
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ["SECRET_KEY"]
# SECURITY WARNING: don't run with debug turned on in production!
SECURITY_TRUE = True
SECURITY_FALSE = False
DEBUG = False
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_SECONDS = 1 #31536000
ALLOWED_HOSTS = ["127.0.0.1"]
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# add rest_framework support to the project
'rest_framework',
# setting cors policy is needed to make calls from ui to api
'corsheaders',
'mauth'
]
MIDDLEWARE = [
# Add cors middleware
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'm.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [os.path.join(BASE_DIR, "frontend")],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'm.wsgi.application'
# Database
# https://docs.djangoproject.com/en/3.2/ref/settings/#databases
"""DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}"""
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.environ["POSTGRES_NAME"],
'USER': os.environ["POSTGRES_USER"],
'PASSWORD': os.environ["POSTGRES_PASSWORD"],
'HOST': os.environ["POSTGRES_HOST"],
'PORT': os.environ["POSTGRES_PORT"],
}
}
# Password validation
# https://docs.djangoproject.com/en/3.2/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/3.2/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.2/howto/static-files/
STATIC_URL = '/static/'
STATICFILES_DIRS = [
# Tell Django where to look for React's static files (css, js)
os.path.join(BASE_DIR, "frontend/static"),
]
STATIC_ROOT = os.path.join(BASE_DIR, "static/")
STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
# Default primary key field type
# https://docs.djangoproject.com/en/3.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOWED_ORIGINS = [
'http://127.0.0.1',
]
CORS_ALLOW_METHODS = (
'DELETE',
'GET',
'OPTIONS',
'PATCH',
'POST',
'PUT',
)
CORS_ALLOW_HEADERS = (
'accept',
'accept-encoding',
'authorization',
'content-type',
'dnt',
'origin',
'user-agent',
'x-csrftoken',
'x-requested-with',
)
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'mauth.authentication.JWTAuthentication',
],
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
]
}
For frontend I'm using:
config["headers"]["Access-Control-Allow-Origin"] = ENV.API_URL
config["headers"]["Access-Control-Allow-Credentials"] = 'true'
fetch(ENV.API_URL+url, config)
You don't have to do anything in you frontend with headers etc. You just have to make sure that Django (the backend) allows request from the host that the frontend is running on.
You have added 'http://127.0.0.1'
which is the host of the backend, (if they're not running on same host but then you'd have to add the port?)
So with django-cors-headers
you can do something like this:
Let's say backend is running on api.mysite.com
and that frontend is running on mysite.com
(with HTTPS)
Then in settings.py
add this:
CORS_ALLOWED_ORIGIN_REGEXES = [
r'^https:\/\/mysite.com$',
]
and if you want to allow from localhost for development then also add, which will allow from localhost on any port:
r'^http:\/\/localhost:\d+$',
在CORS_ALLOWED_ORIGIN = ['frontend_domain_here']
添加CORS_ALLOWED_ORIGIN = ['frontend_domain_here']
来修复 CORS 问题,正如 Felix 提到的,你不需要在前端做任何关于 CORS 问题的事情,因此它总是可以在后端修复。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.