How to POST webhook with CSRF?

[llamafilm]

I'm looking for clarity on exactly what is required to satisfy Netbox / Django CSRF requirements.
I'm trying to run a custom script via the API and I'm getting this error:

    "detail": "CSRF Failed: Referer checking failed - no Referer."

I'm providing an API token in the Authorization header, so I don't think Referer should be necessary. As evidence of that, if I POST the request on localhost:80 then it works fine, like this:

curl -X POST \
  -H "Authorization: Token $API_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json; indent=4" \
  -d '{"data": {"device_id": 1, "delay": 10}, "commit": true}' \
  http://localhost:80/api/extras/scripts/9/

But when I run through my TLS gateway, it fails.
The Django docs say a CSRF cookie must be present, and they don't mention any exceptions about webhooks like this. But if the cookie is strictly required, then why does it work on localhost?

To debug this, tried adding a custom middleware that logs the entire request object, to compare all the headers from the local request vs TLS, and I can't find any meaningful differences. I even tried removing django.middleware.csrf.CsrfViewMiddleware from settings.py and that didn't help! I'm stumped by that, as I thought this error must be coming from that class.

[llamafilm]

Problem solved. I had to set my custom remote auth backend to skip any requests starting with /api or else it tried to login automatically, which means Django then enforces CSRF.

[jeremystretch]

Thanks for following up with your fix!

[llamafilm]

Actually this isn't quite solved. I raised it as a bug #18914.