[403] CSRF verification failed

Issue #2982 resolved
Samuel Marks created an issue

Good morning,

Unfortunately I get the following error when trying to amend (add new comment) to one of my bitbucket issues:

{{{ Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.

More information is available with DEBUG=True. }}}

I'm running Windows 7 SP1 x64 with Opera 11.50 (Build 1074).

Attached is a screenshot of my settings. I have also tried adding bitbucket as a security exception and trying form submission without a proxy.

Please fix this ASAP (or if it's a problem on my end, tell me how to fix it).


Samuel Marks

Comments (14)

  1. Dylan Etkin

    Hi Samuel,

    Bitbucket uses a Referer header to stop CSRF attacks. As the error message should have stated, you have likely disabled (or an add-on might have changed it).

    I have tried commenting on an issue in the 11.50 version of Opera and did not have the same problem. This is a default setup of Opera. I am not exactly sure how to configure that setting in Opera.

    In Firefox you can type about:config in your address bar, and search for Network.http.sendRefererHeader preference.

    You can read up on that setting here: http://kb.mozillazine.org/Network.http.sendRefererHeader

    Sorry for the trouble, I hope this helps,


  2. Samuel Marks reporter
    • changed status to new

    No worries, must be something wrong with my configuration (since it worked for you).

    I'll try again at Uni using a clean version of Opera.

    Thanks for your time

  3. Marko Burjek

    The same problem with verification is also when adding ssh keys to a repository. And it is very frustrating. You add a key and nothing happens. I tried 3 times. Only after opening developer tools in browser you can see that you get error 403 and a problem could be with referrer headers.

    I think Error should be shown to a user. I know this is developer oriented site but still.

  4. Raphaël Droz

    Still a problem including when network.http.sendRefererHeader = 1 (firefox) Is it because it use button or image rather plain links? See issue #10726 too

  5. M Hagoort

    Can you please disable this stupid "feature"? It's security through obscurity as any program can send any HTTP_REFERER header they like. If i want to hack bitbucket logins i just write a script that sets this particular header and send it.

    Yes, i disabled it in my browsers for a reason: privacy

    So, enabling it when visiting bitbucket en disabling it again after visiting bitbucket is more error-prone to my privacy then the security of bitbucket. There are better CSRF protection schemes then this crap.

  6. David

    Yes a program can set any header it likes. However, the CSRF implementation is checking that for mutative requests (to resources that are not csrf excluded) that the referer header is in the same origin as the host header sent and as a request made from https://not-bitbucket.something should not be able to be sent to https://bitbucket.org with a referer header value of https://bitbucket.org while the host header is also https://bitbucket.org in a user's browser to provide further protection against CSRF attacks. See https://docs.djangoproject.com/en/1.9/ref/csrf/#how-csrf-works for more details.

  7. André Ménard

    +1 M Hagoort. Thanks for the addon-link; despite it being, somewhat, buggy.

    @David Black: This is probably one of the longest technical sentence I had the horror to read. While using the Referer header might protect against CSRFs, it is not the most user-friendly solution. Simply, BitBucket relies on the proper behavior of the agent. Users with non-conforming agents --- whether because they are buggy, "dumber", or configured differently --- are ignored.

    Of all the sites I use, BitBucket is to first to complain against the lack of a Referer header.

  8. Frank Forte

    The CSRF token should be enough to verify that the user is on the origin website (assuming a random enough and long enough token).

    It looks like the only reason for using the referrer is to prevent man in the middle attacks, but this also stops legitimate server proxy setups, where https is used to connect via origin server, but Bitbucket is set up behind the scenes (e.g. on a different port or internal server).

  9. Nemiz D

    It boggles my mind that this issue HAS NOT BEEN FIXED for years.

    It is very common to have referrer header disabled, especially among developers.

    All well made sites work without referrer header set.

    Way to keep people away from coming to bitbucket. Keep it up!

  10. Log in to comment