hotosm · kshitijrajsharma · Mar 18, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/core/settings/base.py b/core/settings/base.py
@@ -75,6 +75,11 @@
     # ABS_PATH('core', 'base_static'),
 )
 
+# Allow OSM tile servers to receive a Referer header (required by OSM tile policy).
+# Django's SecurityMiddleware defaults to "same-origin", which strips the Referer
+# on cross-origin requests, causing OSM tiles to return 403 "Access blocked".
+SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
 
 # default middleware classes
 MIDDLEWARE = [

diff --git a/core/settings/contrib.py b/core/settings/contrib.py
@@ -27,7 +27,6 @@
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "rest_framework.authentication.TokenAuthentication",
         "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
-        "rest_framework.authentication.SessionAuthentication",
     ),
     "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
     "DEFAULT_RENDERER_CLASSES": (

diff --git a/ui/app/components/aoi/ExportAOI.js b/ui/app/components/aoi/ExportAOI.js
@@ -277,6 +277,7 @@ export class ExportAOI extends Component {
               }),
               OSM.ATTRIBUTION
             ],
+            crossOrigin: null,
             url:
               "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
           })
-Original file line number
+Diff line change
@@ Expand Up / @@ -277,6 +277,7 @@ export class ExportAOI extends Component { @@
                   }),
                   OSM.ATTRIBUTION
                 ],
+                crossOrigin: null,
                 url:
                   "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
               })
@@ Expand Down @@