“Origin checking failed … does not match any trusted origins” CSRF errors in Crypt Server

Recent changes to Crypt Server have included guards against cross-site request forgery (CSRF) attacks.

If you don’t have your Crypt Server configured correctly, you may run into issues when trying to view a secret (Get Key).

You can get an error like:

Forbidden (403) CSRF verification failed.

With DEBUG = True passed as an environment variable, you may see a little more detail but not much helpful:

Origin checking failed - https://www.yourcryptserver.com does not match any trusted origins.

Despite the fact you should be able to do so (based on the Crypt Server README), when I ran into this and tried adding

CSRF_TRUSTED_ORIGINS = ['https://www.mycryptserver.com']

to the settings.py file before running the docker container, it didn’t seem to be recognized, and I still got a 403 forbidden error.

It wasn’t until I passed

-e HOST_NAME='https://www.mycryptserver.com'

in the docker run command, to load in HOST_NAME as an environment variable, that I stopped getting the 403 forbidden error relating to CSRF.

In the future, though, you may have to pass CSRF_TRUSTED_ORIGINS itself as an environment variable instead of passing HOST_NAME. More details in this pull request.

From the Docker markdown file in Crypt Server, you can also see an example of how that environment variable would look in the docker run command:

-e CSRF_TRUSTED_ORIGINS='https://FirstServer.com,https://SecondServer.com'

Leave a Reply

Your email address will not be published. Required fields are marked *