Cross-site request blocked by Fetch Metadata policy.
{% if DEBUG %}| Method | {{ request_method }} |
|---|---|
| Path | {{ request_path }} |
| Sec-Fetch-Site | {% if headers.site %}{{ headers.site }}{% else %}not sent{% endif %} |
|---|---|
| Sec-Fetch-Mode | {% if headers.mode %}{{ headers.mode }}{% else %}not sent{% endif %} |
| Sec-Fetch-Dest | {% if headers.dest %}{{ headers.dest }}{% else %}not sent{% endif %} |
| Sec-Fetch-User | {% if headers.user %}{{ headers.user }}{% else %}not sent{% endif %} |
| Reason | {{ reason }} |
|---|---|
| Allowed Sites | {{ policy.allowed_sites|join:", " }} |
| Allow Navigations | {{ policy.allow_navigations }} |
| Fail Open | {{ policy.fail_open }} |
Troubleshooting:
{% if reason == "no_header_strict" %}This request was blocked because no Sec-Fetch-Site header was sent
and FAIL_OPEN is disabled. Non-browser clients (curl, webhooks, API consumers)
don't send Fetch Metadata headers.
To allow this request, you can:
- Set FETCH_METADATA_FAIL_OPEN = True (or use the DEFAULT preset)
This request was blocked because the Sec-Fetch-Site header value
is not in the list of allowed sites for this view.
To allow this request, you can:
- Add the site value to FETCH_METADATA_ALLOWED_SITES
- Add the path to FETCH_METADATA_EXEMPT_PATHS
- Decorate the view with @fetch_metadata_exempt
- Enable FETCH_METADATA_REPORT_ONLY = True to log without blocking
More information is available with DEBUG=True.