Deployment on Azure using an ARM template, Forbidden (403) during log in or sign-up

[MirkoGiugliano95]

Deploying on Azure using with ARM template, once the app is started, when I try to authenticate or register myself, I get the following error:

"Forbidden (403)
CSRF verification failed. Request aborted.

More information is available with DEBUG=True."

I’ve also attached the screenshot.
Could you help me?

[MirkoGiugliano95]

log error: Forbidden (Origin checking failed - https://***.azurewebsites.net does not match any trusted origins.): /user/signup/

[heidi-humansignal]

Hello,

Thank you for contacting Label Studio,

The "Forbidden (403) CSRF verification failed" error typically occurs when Django (the web framework used by Label Studio) detects that the request is not coming from a trusted origin or when certain security settings are not properly configured, especially when deploying behind proxies or load balancers with SSL termination

Could you please apply this suggestion and see if it works out!

Set the CSRF_TRUSTED_ORIGINS Environment Variable:
Add the following environment variable to your deployment configuration, ensuring it includes the URL you use to access Label Studio:

CSRF_TRUSTED_ORIGINS="https://your-domain.com"

Replace https://your-domain.com with the actual URL where you access Label Studio.
This setting tells Django to trust requests originating from the specified domain for CSRF protection.

1. Remove the LABEL_STUDIO_HOST Environment Variable (if set):
   In recent versions of Label Studio, the LABEL_STUDIO_HOST environment variable is no longer required and can cause issues if set. Please ensure that this variable is unset or removed from your configuration.

2. Enable USE_X_FORWARDED_HOST and USE_X_FORWARDED_PORT:
   If your deployment involves reverse proxies or load balancers, you may need to set the following environment variables:

   USE_X_FORWARDED_HOST="true" USE_X_FORWARDED_PORT="true"

These settings tell Django to trust the X-Forwarded-Host and X-Forwarded-Port headers, which is important when Label Studio is behind a proxy.

1. Configure SECURE_PROXY_SSL_HEADER (if applicable):
   Since SSL termination might be happening at the load balancer or proxy level in your Azure deployment, set the following:

   SECURE_PROXY_SSL_HEADER="HTTP_X_FORWARDED_PROTO,https"

This informs Django that it should consider requests with the X-Forwarded-Proto header set to https as secure.

1. Clear Browser Cache and Cookies:
   After making these changes, clear your browser cache and cookies, or try accessing Label Studio in a private/incognito window to ensure that old cookies aren't causing the issue.

2. Redeploy Label Studio with Updated Configuration:
   Apply these changes to your ARM template or deployment configuration and redeploy the application.
   Example Configuration in ARM Template:
   Here's how you might specify the environment variables in your ARM template:

   "containerSettings": { "environmentVariables": [{ "name": "CSRF_TRUSTED_ORIGINS", "value": "https://your-domain.com" }, { "name": "USE_X_FORWARDED_HOST", "value": "true" }, { "name": "USE_X_FORWARDED_PORT", "value": "true" }, { "name": "SECURE_PROXY_SSL_HEADER", "value": "HTTP_X_FORWARDED_PROTO,https" }]}

Notes:

• Ensure that you replace https://your-domain.com with the actual URL you are using to access Label Studio.
• If you're using Azure Application Gateway or another proxy/load balancer, verify that it forwards necessary headers like X-Forwarded-Proto and X-Forwarded-Host.
  By configuring the CSRF_TRUSTED_ORIGINS and related settings, you should be able to resolve the CSRF verification issue and successfully authenticate or register in Label Studio.

Please let me know if this helps or if you need further assistance.

Comment by Oussama Assili
Workflow Run