starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-25 06:55:53 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #523] CSRF problem with discord integration #381

New issue
Closed
opened 2026-02-25 23:42:15 +03:00 by kerem · 5 comments
kerem commented 2026-02-25 23:42:15 +03:00
Owner
Copy link

Originally created by @MrSuicideParrot on GitHub (Jun 3, 2021).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/523

I'm running the self-hosted version of healthchecks (v1.20.0 in a container) and I've been having a problem configuring the discord integration.
Basically, when I'm configuring the discord app and filled my Redirect URI, a bot from discord tries to contact my server on the endpoint I specified (SITE_ROOT/integrations/add_discord/), but my server answers with 403, due to the CSRF verification (error below).

<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
</head>
<body>
<div id="summary">
  <h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>

  <p>You are seeing this message because this HTTPS site requires a ...Referer header... to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
  <p>If you have configured your browser to disable ...Referer... headers, please re-enable them, at least for this site, or for HTTPS connections, or for ...same-origin... requests.</p>
  <p>If you are using the &lt;meta name=&quot;referrer&quot; content=&quot;no-referrer&quot;&gt; tag or including the ...Referrer-Policy: no-referrer... header, please remove them. The CSRF protection requires the ...Referer... header to do strict referer checking. If you...re concerned about privacy, use alternatives like &lt;a rel=&quot;noreferrer&quot; ...&gt; for links to third-party sites.</p>


</div>

<div id="explanation">
  <p><small>More information is available with DEBUG=True.</small></p>
</div>

</body>
</html>

I analysed the post request from discord, and of course, they don't send any Referer header.
Is this an error of my configuration? Or should CSRF not be enabled in this endpoint?

Originally created by @MrSuicideParrot on GitHub (Jun 3, 2021). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/523 I'm running the self-hosted version of healthchecks (v1.20.0 in a container) and I've been having a problem configuring the discord integration. Basically, when I'm configuring the discord app and filled my _Redirect URI_, a bot from discord tries to contact my server on the endpoint I specified (SITE_ROOT/integrations/add_discord/), but my server answers with 403, due to the CSRF verification (error below). ``` <!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="robots" content="NONE,NOARCHIVE"> <title>403 Forbidden</title> <style type="text/css"> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; color:#000; } body>div { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } </style> </head> <body> <div id="summary"> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted.</p> <p>You are seeing this message because this HTTPS site requires a ...Referer header... to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p> <p>If you have configured your browser to disable ...Referer... headers, please re-enable them, at least for this site, or for HTTPS connections, or for ...same-origin... requests.</p> <p>If you are using the &lt;meta name=&quot;referrer&quot; content=&quot;no-referrer&quot;&gt; tag or including the ...Referrer-Policy: no-referrer... header, please remove them. The CSRF protection requires the ...Referer... header to do strict referer checking. If you...re concerned about privacy, use alternatives like &lt;a rel=&quot;noreferrer&quot; ...&gt; for links to third-party sites.</p> </div> <div id="explanation"> <p><small>More information is available with DEBUG=True.</small></p> </div> </body> </html> ``` I analysed the post request from discord, and of course, they don't send any Referer header. Is this an error of my configuration? Or should CSRF not be enabled in this endpoint?
kerem closed this issue 2026-02-25 23:42:15 +03:00
kerem commented 2026-02-25 23:42:15 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jun 4, 2021):

In the Discord app, did you set the "Interactions Endpoint URL"?

image

The redirect URL (https://yourserver/integrations/add_discord/) should go in OAuth2 > Redirects field:

image

PS. There's currently a separate issue with Discord, at least for me on the hosted service at https://healthchecks.io. The issue is with the OAuth2 flow for setting up webhooks. In the last step where the client exchanges access token for the webhook URL, Discord returns a JSON document with the "url" field absent. I'm following up with Discord support about it.

<!-- gh-comment-id:854382034 --> @cuu508 commented on GitHub (Jun 4, 2021): In the Discord app, did you set the "Interactions Endpoint URL"? ![image](https://user-images.githubusercontent.com/661859/120752171-e6aac800-c511-11eb-84ed-15d288881e12.png) The redirect URL (`https://yourserver/integrations/add_discord/`) should go in OAuth2 > Redirects field: ![image](https://user-images.githubusercontent.com/661859/120752263-12c64900-c512-11eb-845e-4cef0d09c348.png) PS. There's currently a separate issue with Discord, at least for me on the hosted service at https://healthchecks.io. The issue is with the OAuth2 flow for setting up webhooks. In the last step where the client exchanges access token for the webhook URL, Discord returns a JSON document with the "url" field absent. I'm following up with Discord support about it.
kerem commented 2026-02-25 23:42:15 +03:00
Author
Owner
Copy link

@MrSuicideParrot commented on GitHub (Jun 4, 2021):

I was putting the url in interactions endpoint and not in the Oauth2 tab. Sorry to bother you with this.

In regards to the other bug, I think the self-hosted version is also affected, because I now having an error 500 when I try to test the integration. But when I debug the error, I'll let you know.

<!-- gh-comment-id:854591321 --> @MrSuicideParrot commented on GitHub (Jun 4, 2021): I was putting the url in interactions endpoint and not in the Oauth2 tab. Sorry to bother you with this. In regards to the other bug, I think the self-hosted version is also affected, because I now having an error 500 when I try to test the integration. But when I debug the error, I'll let you know.
kerem commented 2026-02-25 23:42:15 +03:00
Author
Owner
Copy link

@MrSuicideParrot commented on GitHub (Jun 4, 2021):

I think this is the error you were talking about...

healthchecks    | 2021-06-04T11:16:37.259074230Z   File "/usr/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
healthchecks    | 2021-06-04T11:16:37.259086353Z     response = get_response(request)
healthchecks    | 2021-06-04T11:16:37.260246235Z   File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
healthchecks    | 2021-06-04T11:16:37.260275590Z     response = wrapped_callback(request, *callback_args, **callback_kwargs)
healthchecks    | 2021-06-04T11:16:37.260333690Z   File "/usr/lib/python3.8/site-packages/django/views/decorators/http.py", line 40, in inner
healthchecks    | 2021-06-04T11:16:37.260347305Z     return func(request, *args, **kwargs)
healthchecks    | 2021-06-04T11:16:37.260375869Z   File "/usr/lib/python3.8/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
healthchecks    | 2021-06-04T11:16:37.260386208Z     return view_func(request, *args, **kwargs)
healthchecks    | 2021-06-04T11:16:37.260425983Z   File "/app/healthchecks/./hc/front/views.py", line 936, in send_test_notification
healthchecks    | 2021-06-04T11:16:37.260437645Z     error = channel.notify(dummy, is_test=True)
healthchecks    | 2021-06-04T11:16:37.260473572Z   File "/app/healthchecks/./hc/api/models.py", line 511, in notify
healthchecks    | 2021-06-04T11:16:37.260484402Z     error = self.transport.notify(check) or ""
healthchecks    | 2021-06-04T11:16:37.260522334Z   File "/app/healthchecks/./hc/api/transports.py", line 458, in notify
healthchecks    | 2021-06-04T11:16:37.260554715Z     url = self.channel.discord_webhook_url + "/slack"
healthchecks    | 2021-06-04T11:16:37.260583419Z   File "/app/healthchecks/./hc/api/models.py", line 611, in discord_webhook_url
healthchecks    | 2021-06-04T11:16:37.260604499Z     url = doc["webhook"]["url"]
healthchecks    | 2021-06-04T11:16:37.260632091Z KeyError: 'url'
<!-- gh-comment-id:854628943 --> @MrSuicideParrot commented on GitHub (Jun 4, 2021): I think this is the error you were talking about... ```healthchecks | 2021-06-04T11:16:37.258971878Z Traceback (most recent call last): healthchecks | 2021-06-04T11:16:37.259074230Z File "/usr/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner healthchecks | 2021-06-04T11:16:37.259086353Z response = get_response(request) healthchecks | 2021-06-04T11:16:37.260246235Z File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response healthchecks | 2021-06-04T11:16:37.260275590Z response = wrapped_callback(request, *callback_args, **callback_kwargs) healthchecks | 2021-06-04T11:16:37.260333690Z File "/usr/lib/python3.8/site-packages/django/views/decorators/http.py", line 40, in inner healthchecks | 2021-06-04T11:16:37.260347305Z return func(request, *args, **kwargs) healthchecks | 2021-06-04T11:16:37.260375869Z File "/usr/lib/python3.8/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view healthchecks | 2021-06-04T11:16:37.260386208Z return view_func(request, *args, **kwargs) healthchecks | 2021-06-04T11:16:37.260425983Z File "/app/healthchecks/./hc/front/views.py", line 936, in send_test_notification healthchecks | 2021-06-04T11:16:37.260437645Z error = channel.notify(dummy, is_test=True) healthchecks | 2021-06-04T11:16:37.260473572Z File "/app/healthchecks/./hc/api/models.py", line 511, in notify healthchecks | 2021-06-04T11:16:37.260484402Z error = self.transport.notify(check) or "" healthchecks | 2021-06-04T11:16:37.260522334Z File "/app/healthchecks/./hc/api/transports.py", line 458, in notify healthchecks | 2021-06-04T11:16:37.260554715Z url = self.channel.discord_webhook_url + "/slack" healthchecks | 2021-06-04T11:16:37.260583419Z File "/app/healthchecks/./hc/api/models.py", line 611, in discord_webhook_url healthchecks | 2021-06-04T11:16:37.260604499Z url = doc["webhook"]["url"] healthchecks | 2021-06-04T11:16:37.260632091Z KeyError: 'url' ```
kerem commented 2026-02-25 23:42:15 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jun 4, 2021):

Yep, that's the one. Discord doesn't return the "url" field. Not yet sure why, I opened a support ticket with Discord, they've escalated to their dev team, but no updates yet...

The absent "url" field is a recent thing, started 2 days ago.

<!-- gh-comment-id:854631787 --> @cuu508 commented on GitHub (Jun 4, 2021): Yep, that's the one. Discord doesn't return the "url" field. Not yet sure why, I opened a support ticket with Discord, they've escalated to their dev team, but no updates yet... The absent "url" field is a recent thing, started 2 days ago.
kerem commented 2026-02-25 23:42:15 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jun 4, 2021):

Related discussion in discord-api-docs: https://github.com/discord/discord-api-docs/issues/3057

<!-- gh-comment-id:854940877 --> @cuu508 commented on GitHub (Jun 4, 2021): Related discussion in discord-api-docs: https://github.com/discord/discord-api-docs/issues/3057
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#381
No description provided.