Fix CSRF 403 on all POSTs behind traefik

prod.py never read the CSRF_TRUSTED_ORIGINS env var the deployment already
injects, so Django's setting stayed empty. Behind traefik's TLS termination
Django saw requests as HTTP and rejected the browser's https:// Origin on
every POST with a CSRF failure (403) — forms could not be saved and the DB
stayed empty.

- Read CSRF_TRUSTED_ORIGINS from env (filtering empties).
- Set SECURE_PROXY_SSL_HEADER so Django recognizes HTTPS via X-Forwarded-Proto.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-22 02:02:42 +02:00
parent e28739f8f1
commit f95de1482d

View File

@@ -5,6 +5,16 @@ from .base import * # noqa: F401, F403
DEBUG = False
ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='').split(',')
# Behind traefik (TLS terminated at the proxy). Without these, Django sees the
# request as plain HTTP and rejects the browser's https:// Origin on every POST
# with a CSRF failure (403) — the request never reaches the view, so saves fail
# silently and the DB stays empty. The deployment already injects
# CSRF_TRUSTED_ORIGINS via env; this reads it.
CSRF_TRUSTED_ORIGINS = [
o for o in config('CSRF_TRUSTED_ORIGINS', default='').split(',') if o
]
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
SECURE_BROWSER_XSS_FILTER = True