removed the trusted origin foo again - added proper detection of https

shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py

@@ -56,8 +56,6 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True':
 
 ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')]
 
-CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')]
-
 # Application definition
 
 INSTALLED_APPS = [
@@ -240,4 +238,7 @@ CSRF_COOKIE_SECURE = True
 
 SECURE_SSL_REDIRECT = False
 
+# allow detection of https behind "old" nginx
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
 SECURE_HSTS_SECONDS = get_env_value('DJANGO_SECURE_HSTS_SECONDS', default=120)