From 562367fa33e14683a69729edae48e2bceeb12341 Mon Sep 17 00:00:00 2001 From: tomolopolis Date: Tue, 2 Jul 2024 18:46:12 +0100 Subject: [PATCH] CU-8694gtycm: latest Django CSRF protections to be used now. --- envs/env | 3 +++ webapp/api/core/settings.py | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/envs/env b/envs/env index 404f8884..3d58bcb5 100644 --- a/envs/env +++ b/envs/env @@ -7,6 +7,9 @@ MEDCAT_CONFIG_FILE=/home/configs/base.txt ### Deployment Realm ### ENV=non-prod +# Complete once this is deployed +CSRF_TRUSTED_ORIGINS= + ### Django debug setting - to live-reload etc. ### DEBUG=True diff --git a/webapp/api/core/settings.py b/webapp/api/core/settings.py index 04c493e6..403d6661 100644 --- a/webapp/api/core/settings.py +++ b/webapp/api/core/settings.py @@ -20,9 +20,11 @@ # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +environ_origins = os.environ.get('CSRF_TRUSTED_ORIGINS', None) +trusted_origins = [] if environ_origins is None else environ_origins.split(',') +CSRF_TRUSTED_ORIGINS = ['https://127.0.0.1:8001', 'http://localhost:8001'] + trusted_origins -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/ +SECURE_CROSS_ORIGIN_OPENER_POLICY = None # SECURITY WARNING: keep the secret key used in production secret! realm = os.environ.get('ENV', 'non-prod')