From 6e5108521029e84ff1104360522efaf811735a6d Mon Sep 17 00:00:00 2001 From: stefan Date: Tue, 19 Nov 2024 23:31:56 +0100 Subject: [PATCH] removed the trusted origin foo again - added proper detection of https --- shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py index ebc7326..e30907f 100644 --- a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py +++ b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py @@ -56,8 +56,6 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True': ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')] -CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')] - # Application definition INSTALLED_APPS = [ @@ -240,4 +238,7 @@ CSRF_COOKIE_SECURE = True SECURE_SSL_REDIRECT = False +# allow detection of https behind "old" nginx +SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") + SECURE_HSTS_SECONDS = get_env_value('DJANGO_SECURE_HSTS_SECONDS', default=120)