From 5163834de40435d89ccba0763ad06c0170b9e58a Mon Sep 17 00:00:00 2001 From: stefan Date: Tue, 19 Nov 2024 23:09:53 +0100 Subject: [PATCH 1/2] added CSRF trusted origin config, added tzdata - needed in debug mode --- requirements.txt | 1 + shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py | 1 + 2 files changed, 2 insertions(+) diff --git a/requirements.txt b/requirements.txt index 6dd0753..e2ff01c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,5 +31,6 @@ setuptools==75.3.0 sqlparse==0.4.1 toml==0.10.2 typing_extensions==4.12.2 +tzdata==2024.2 urllib3==2.2.3 wrapt==1.12.1 diff --git a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py index 2775540..ebc7326 100644 --- a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py +++ b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py @@ -56,6 +56,7 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True': ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')] +CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')] # Application definition -- 2.47.0 From 6e5108521029e84ff1104360522efaf811735a6d Mon Sep 17 00:00:00 2001 From: stefan Date: Tue, 19 Nov 2024 23:31:56 +0100 Subject: [PATCH 2/2] removed the trusted origin foo again - added proper detection of https --- shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py index ebc7326..e30907f 100644 --- a/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py +++ b/shimatta_kenkyusho/shimatta_kenkyusho/settings_production.py @@ -56,8 +56,6 @@ if get_env_value('DJANGO_FORCE_DEV_MODE', default=False) == 'True': ALLOWED_HOSTS = ['127.0.0.1', 'localhost', get_env_value('DJANGO_ALLOWED_HOST')] -CSRF_TRUSTED_ORIGINS =['https://' + get_env_value('DJANGO_ALLOWED_HOST')] - # Application definition INSTALLED_APPS = [ @@ -240,4 +238,7 @@ CSRF_COOKIE_SECURE = True SECURE_SSL_REDIRECT = False +# allow detection of https behind "old" nginx +SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") + SECURE_HSTS_SECONDS = get_env_value('DJANGO_SECURE_HSTS_SECONDS', default=120) -- 2.47.0