generated from coulomb/repo-seed
prod.py never read the CSRF_TRUSTED_ORIGINS env var the deployment already injects, so Django's setting stayed empty. Behind traefik's TLS termination Django saw requests as HTTP and rejected the browser's https:// Origin on every POST with a CSRF failure (403) — forms could not be saved and the DB stayed empty. - Read CSRF_TRUSTED_ORIGINS from env (filtering empties). - Set SECURE_PROXY_SSL_HEADER so Django recognizes HTTPS via X-Forwarded-Proto. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>