From 5163834de40435d89ccba0763ad06c0170b9e58a Mon Sep 17 00:00:00 2001
From: stefan <stefan.strobel@shimatta.net>
Date: Tue, 19 Nov 2024 23:09:53 +0100
Subject: [PATCH 1/2] added CSRF trusted origin config, added tzdata - needed
 in debug mode

---
 requirements.txt                                             | 1 +
 shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/requirements.txt b/requirements.txt
index 6dd0753..e2ff01c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -31,5 +31,6 @@ setuptools==75.3.0
 sqlparse==0.4.1
 toml==0.10.2
 typing_extensions==4.12.2
+tzdata==2024.2
 urllib3==2.2.3
 wrapt==1.12.1
diff --git a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
index 2775540..ebc7326 100644
--- a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
+++ b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
@@ -56,6 +56,7 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True':
 
 ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')]
 
+CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')]
 
 # Application definition
 

From 6e5108521029e84ff1104360522efaf811735a6d Mon Sep 17 00:00:00 2001
From: stefan <stefan.strobel@shimatta.net>
Date: Tue, 19 Nov 2024 23:31:56 +0100
Subject: [PATCH 2/2] removed the trusted origin foo again - added proper
 detection of https

---
 shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
index ebc7326..e30907f 100644
--- a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
+++ b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py
@@ -56,8 +56,6 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True':
 
 ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')]
 
-CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')]
-
 # Application definition
 
 INSTALLED_APPS = [
@@ -240,4 +238,7 @@ CSRF_COOKIE_SECURE = True
 
 SECURE_SSL_REDIRECT = False
 
+# allow detection of https behind "old" nginx
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
 SECURE_HSTS_SECONDS = get_env_value('DJANGO_SECURE_HSTS_SECONDS', default=120)