CORS error in label studio on setting host and port

Question

I am trying to run label-studio in my local server and do a reverse proxy. However following the website https://labelstud.io/guide/start#Run-Label-Studio-with-HTTPS I can run the label-studio but on sign-in and login-in I am getting CORS error.

[2024-02-04 16:07:29,509] [django.security.csrf::log_response::224] [WARNING] Forbidden (CSRF cookie not set.

Answer 1

To resolve the CSRF cookie not set error and the CORS issue when running Label Studio behind a reverse proxy with HTTPS, you can try the following steps:

1. Set CSRF Cookie Domain: Ensure that the CSRF cookie domain is set correctly in your Django settings. You can set the CSRF_COOKIE_DOMAIN to the domain that your Label Studio instance is served from. If Label Studio is served from a subpath, you might also need to set CSRF_COOKIE_PATH.

2. Configure CSRF Trusted Origins: If your Label Studio is served from a different domain than your main site, you might need to add the domain to the CSRF_TRUSTED_ORIGINS in your Django settings.

3. Enable CORS Headers: Make sure that your reverse proxy is configured to handle CORS requests properly. You may need to add the necessary CORS headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Credentials to your reverse proxy configuration.

4. Set Secure Cookie: If you're running Label Studio over HTTPS, ensure that the SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE settings in Django are set to True to indicate that the cookie should only be transmitted over secure connections.

5. Check Reverse Proxy Configuration: Verify that your reverse proxy is correctly configured to pass the necessary headers to Label Studio. For example, if you're using Nginx, you might need to include proxy_set_header directives to pass the Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host headers.

6. Update Environment Variables: If you're deploying Label Studio in a production environment, set the SSRF_PROTECTION_ENABLED environment variable to true for additional security.

7. Set SECRET_KEY: Ensure that the SECRET_KEY environment variable is set to a secure, random value and is consistent across server restarts. This key is used to provide cryptographic signing and should be kept secret.

8. Check Browser Console: Open the browser console to look for any additional CORS-related errors and ensure that the CORS policy includes the correct origin.

9. Review Django Middleware: Ensure that the CsrfViewMiddleware is included in the MIDDLEWARE setting in your Django settings.

10. Check for Mixed Content: If you're serving Label Studio over HTTPS, ensure that all resources are also served over HTTPS to avoid mixed content issues.

If you've tried these steps and are still encountering issues, please provide more details about your reverse proxy configuration and any relevant logs from both Label Studio and the reverse proxy. This will help in diagnosing the problem more accurately.