CSRF validation does not work on Django using HTTPS

For anyone who follows this, if you have set CORS_ORIGIN_ALLOW_ALL to True, then you don't need to set the CORS_ORIGIN_WHITELIST variable anymore, as you are allowing every host already.

SOLUTION TO MY PROBLEM - it might help somebody

the problem we had was a peculiar one, we have a Client application sending requests using TokenAuthentication to another application, a CRM built using Django Admin and therefore using SessionAuthentication. When we opened the Django Admin application, the SessionMiddleware was creating automatically a session_id cookie for that domain. When opening the Client application and trying to perform a request, we got the following error:

Error: CSRF Failed: Referer checking failed - https://domainofthedjangoadminapp.com does not match any trusted origins.

That was only because the session_id cookie was already set in the browser and therefore, the request was made using SessionAuthentication instead of TokenAuthentication and failing.

Removing the cookie was obviously fixing the problem.

Django 4.0 and above

For Django 4.0 and above, CSRF_TRUSTED_ORIGINS must include scheme and host, e.g.:

CSRF_TRUSTED_ORIGINS = ['https://front.bluemix.net']

Django 3.2 and lower

For Django 3.2 and lower, CSRF_TRUSTED_ORIGINS must contain only the hostname, without a scheme:

CSRF_TRUSTED_ORIGINS = ['front.bluemix.net']

You probably also need to put something in ALLOWED_HOSTS...