django-cors-headers

My django version is 1.8.6. I've copy the corsheaders folder into the project folder. i've pip install django-cors-headers(ver 1.1.0). This is my setting.py: INSTALLED_APPS = ( 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'MyWebsite_app', 'storages', 'rest_framework', 'corsheaders', ) MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf

I'm really stuck. Here's what I'm trying to do. KEEP CSRF On. - please don't tell me to turn it off. I have an API app run by Django and Django Rest Framework I have a frontend app run by Vue I have installed django-cors-headers to manage CORS Everything works great localy. As soon as I move it to production, I start getting CSRF errors. Here's how everything works. I've seen answers all over that have said everything from turning off CSRF to allowing all for all the things. I want to do this right and not just shut things off and open everything up and end up with a security hole. So, here's

I'm working with two dev servers on my local machine (node & django's). I've added django-cors-headers to the project to allow all origins & methods (on dev) with the following settings : CORS_ORIGIN_ALLOW_ALL = 'ALL' CORS_ALLOW_METHODS = ( 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS' ) I'm getting 405 when attempting DELETE. Looking at the response headers HTTP/1.0 405 METHOD NOT ALLOWED Date: Mon, 03 Nov 2014 10:04:43 GMT Server: WSGIServer/0.1 Python/2.7.5 Vary: Cookie X-Frame-Options: SAMEORIGIN Content-Type: application/json Access-Control-Allow-Origin: * Allow: GET, POST, HEAD,

django-cors-headers not work INSTALLED_APPS = ( 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'django.contrib.gis', 'corsheaders', 'rest_framework', 'world', 'userManager', 'markPost', 'BasicServices', ) MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django

I am developing a 1-page application in AngularJS using and Django Rest Framework + Django CORS Headers. My problem is that the "csrftoken" cookie never shows up in my browser when I have contacted the backend. For example: I am doing a login using a post. I get the "sessionid" cookie properly but the "csrftoken" never shows up and therefor I cannot do proper posts from my client since I will get denied due the lack of the csrf token. I have analyzed the response headers from the API and the csrftoken is not ther. I have looked directly in the rest API browser and it shows up fine there. Just