I am trying to run label-studio in my local server and do a reverse proxy. However following the website https://labelstud.io/guide/start#Run-Label-Studio-with-HTTPS I can run the label-studio but on sign-in and login-in I am getting CORS error.
[2024-02-04 16:07:29,509] [django.security.csrf::log_response::224] [WARNING] Forbidden (CSRF cookie not set.
To resolve the CSRF cookie not set error and the CORS issue when running Label Studio behind a reverse proxy with HTTPS, you can try the following steps:
Set CSRF Cookie Domain: Ensure that the CSRF cookie domain is set correctly in your Django settings. You can set the
CSRF_COOKIE_DOMAIN
to the domain that your Label Studio instance is served from. If Label Studio is served from a subpath, you might also need to setCSRF_COOKIE_PATH
.Configure CSRF Trusted Origins: If your Label Studio is served from a different domain than your main site, you might need to add the domain to the
CSRF_TRUSTED_ORIGINS
in your Django settings.Enable CORS Headers: Make sure that your reverse proxy is configured to handle CORS requests properly. You may need to add the necessary CORS headers such as
Access-Control-Allow-Origin
,Access-Control-Allow-Methods
,Access-Control-Allow-Headers
, andAccess-Control-Allow-Credentials
to your reverse proxy configuration.Set Secure Cookie: If you're running Label Studio over HTTPS, ensure that the
SESSION_COOKIE_SECURE
andCSRF_COOKIE_SECURE
settings in Django are set toTrue
to indicate that the cookie should only be transmitted over secure connections.Check Reverse Proxy Configuration: Verify that your reverse proxy is correctly configured to pass the necessary headers to Label Studio. For example, if you're using Nginx, you might need to include
proxy_set_header
directives to pass theHost
,X-Real-IP
,X-Forwarded-For
,X-Forwarded-Proto
, andX-Forwarded-Host
headers.Update Environment Variables: If you're deploying Label Studio in a production environment, set the
SSRF_PROTECTION_ENABLED
environment variable totrue
for additional security.Set
SECRET_KEY
: Ensure that theSECRET_KEY
environment variable is set to a secure, random value and is consistent across server restarts. This key is used to provide cryptographic signing and should be kept secret.Check Browser Console: Open the browser console to look for any additional CORS-related errors and ensure that the CORS policy includes the correct origin.
Review Django Middleware: Ensure that the
CsrfViewMiddleware
is included in theMIDDLEWARE
setting in your Django settings.Check for Mixed Content: If you're serving Label Studio over HTTPS, ensure that all resources are also served over HTTPS to avoid mixed content issues.
If you've tried these steps and are still encountering issues, please provide more details about your reverse proxy configuration and any relevant logs from both Label Studio and the reverse proxy. This will help in diagnosing the problem more accurately.