From cd0e10ed3cc591e1ac4d8743144750aa35c33a80 Mon Sep 17 00:00:00 2001 From: Tom Flux Date: Tue, 23 Jun 2026 20:45:14 +0100 Subject: auth: trust nginx HTTPS proxy for CSRF (SECURE_PROXY_SSL_HEADER + CSRF_TRUSTED_ORIGINS) Co-Authored-By: Claude Opus 4.8 --- food_project/settings.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/food_project/settings.py b/food_project/settings.py index 96dcfd0..a2f2c13 100644 --- a/food_project/settings.py +++ b/food_project/settings.py @@ -162,3 +162,11 @@ SESSION_SAVE_EVERY_REQUEST = True LOGIN_URL = 'login' LOGIN_REDIRECT_URL = 'app-pantry' LOGOUT_REDIRECT_URL = 'login' + +# Behind the nginx HTTPS reverse proxy: trust the forwarded scheme so Django +# knows requests are HTTPS, and trust the site's origins for CSRF (needed for +# the login POST and HTMX POSTs now that they're no longer csrf-exempt). +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +CSRF_TRUSTED_ORIGINS = [ + 'https://food.tomflux.xyz', +] -- cgit v1.2.3