diff --git a/vergabe_teilnahme/settings/prod.py b/vergabe_teilnahme/settings/prod.py index e020c08..cbd3983 100644 --- a/vergabe_teilnahme/settings/prod.py +++ b/vergabe_teilnahme/settings/prod.py @@ -5,6 +5,16 @@ from .base import * # noqa: F401, F403 DEBUG = False ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='').split(',') +# Behind traefik (TLS terminated at the proxy). Without these, Django sees the +# request as plain HTTP and rejects the browser's https:// Origin on every POST +# with a CSRF failure (403) — the request never reaches the view, so saves fail +# silently and the DB stays empty. The deployment already injects +# CSRF_TRUSTED_ORIGINS via env; this reads it. +CSRF_TRUSTED_ORIGINS = [ + o for o in config('CSRF_TRUSTED_ORIGINS', default='').split(',') if o +] +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage' SECURE_BROWSER_XSS_FILTER = True