All Blogs Go to Heaven
Reminder: RTFM
Published: Sept. 20, 2019, 7:37 p.m.
Edited: Sept. 20, 2019, 7:49 p.m.
Just in case you don't know, RTFM means "Read The Friendly Manual"... or something very close to that and somewhat NSFW. Everyone knows it's important to read the manual and not just blunder into complicated things, but we all try to cut corners once in a while.
I generally read a bit, blunder a bit, and then remember that there is a manual and I go back. Recently I did this concerning CORS headers in Django Rest Framework.
I am working on a project that I've wanted to do for a while and it's my first real hands on experience building a SPA frontend with API backend. I'm using React and Django REST Framework. In theory I know how this is supposed to work, but I've never done it. There are large problems that I'm going to run into, but while messing around with how to organized the data model and components, I was running into the dreaded...
Cross Origin Request Blocked
To start, I installed the Django corsheaders
module and added it in settings.py
as shown below.
CORS_ORIGIN_ALLOW_ALL = True
INSTALLED_APPS = [
# ...
'corsheaders',
]
MIDDLEWARE = [
# ...
'corsheaders.middleware.CorsMiddleware',
'corsheaders.middleware.CorsPostCsrfMiddleware',
]
Generally that first line should make you nervous, but I wasn't too worried about about anything nasty happening because I'm running client and api from localhost and know very well that nobody is hackin' this mainframe. I didn't want to get bogged down with this while I was working on other parts, however, when the time came to remove it I was struggling. Superficially, it seemed I had done everything right, but things weren't working.
After banging my head for a bit and reading every StackOverflow Q/A I could find, I realized it was time to RTFM. Luckily the FM is only a few pages in this case; I really should have done it earlier.
From the README:
CorsMiddleware should be placed as high as possible, especially before any middleware that can generate responses such as Django’s CommonMiddleware or Whitenoise’s WhiteNoiseMiddleware. If it is not before, it will not be able to add the CORS headers to these responses.
That was it. It was as simple as that! Notice my ellipses earlier and notice it came BEFORE the CORS middleware. I just needed to put this middleware at the top of the list so that Django uses it first and it was fixed!
RTFM
RTFM
RTFM
RTFM
Next time I promise to remember...