diff options
| author | Tom Flux <tom@tomflux.xyz> | 2026-06-23 20:45:14 +0100 |
|---|---|---|
| committer | Tom Flux <tom@tomflux.xyz> | 2026-06-23 20:45:46 +0100 |
| commit | cd0e10ed3cc591e1ac4d8743144750aa35c33a80 (patch) | |
| tree | ea187f1beb806b2dac362e054184fdca28add338 | |
| parent | d92deeab514a52e7c3416baef78f8969ade951cc (diff) | |
auth: trust nginx HTTPS proxy for CSRF (SECURE_PROXY_SSL_HEADER + CSRF_TRUSTED_ORIGINS)HEADmasterauth
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
| -rw-r--r-- | food_project/settings.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/food_project/settings.py b/food_project/settings.py index 96dcfd0..a2f2c13 100644 --- a/food_project/settings.py +++ b/food_project/settings.py @@ -162,3 +162,11 @@ SESSION_SAVE_EVERY_REQUEST = True LOGIN_URL = 'login' LOGIN_REDIRECT_URL = 'app-pantry' LOGOUT_REDIRECT_URL = 'login' + +# Behind the nginx HTTPS reverse proxy: trust the forwarded scheme so Django +# knows requests are HTTPS, and trust the site's origins for CSRF (needed for +# the login POST and HTMX POSTs now that they're no longer csrf-exempt). +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +CSRF_TRUSTED_ORIGINS = [ + 'https://food.tomflux.xyz', +] |
