403 Forbidden

Cross-site request blocked by Fetch Metadata policy.

{% if DEBUG %}

Request

Method{{ request_method }}
Path{{ request_path }}

Sec-Fetch-* Headers

Sec-Fetch-Site {% if headers.site %}{{ headers.site }}{% else %}not sent{% endif %}
Sec-Fetch-Mode {% if headers.mode %}{{ headers.mode }}{% else %}not sent{% endif %}
Sec-Fetch-Dest {% if headers.dest %}{{ headers.dest }}{% else %}not sent{% endif %}
Sec-Fetch-User {% if headers.user %}{{ headers.user }}{% else %}not sent{% endif %}

Policy Decision

{% if policy.allowed_sites %} {% endif %} {% if policy.allow_navigations != None %} {% endif %} {% if policy.fail_open != None %} {% endif %}
Reason{{ reason }}
Allowed Sites{{ policy.allowed_sites|join:", " }}
Allow Navigations{{ policy.allow_navigations }}
Fail Open{{ policy.fail_open }}

Troubleshooting:

{% if reason == "no_header_strict" %}

This request was blocked because no Sec-Fetch-Site header was sent and FAIL_OPEN is disabled. Non-browser clients (curl, webhooks, API consumers) don't send Fetch Metadata headers.

To allow this request, you can:

- Set FETCH_METADATA_FAIL_OPEN = True (or use the DEFAULT preset)

{% else %}

This request was blocked because the Sec-Fetch-Site header value is not in the list of allowed sites for this view.

To allow this request, you can:

- Add the site value to FETCH_METADATA_ALLOWED_SITES

{% endif %}

- Add the path to FETCH_METADATA_EXEMPT_PATHS

- Decorate the view with @fetch_metadata_exempt

- Enable FETCH_METADATA_REPORT_ONLY = True to log without blocking

{% else %}

More information is available with DEBUG=True.

{% endif %}