CSRF Trusted Origins #2909
Comments
|
One of the users, @sebytza23, faced a challenge with hosting both the backend and the client on the same server while enforcing HTTPS using Apache2 and Virtualmin for the front end. The issue arose because the user couldn’t use the same port (443) for the Apache2 client and the backend. To help, I suggested using Apache as a reverse proxy for the backend and provided specific configurations for the Apache module, along with ProxyPass directives. Additionally, I informed the user about the ongoing addition of For reference, for anyone else with a similar setup: Enable Apache Modules: sudo a2enmod proxy
sudo a2enmod proxy_httpConfigure ProxyPass: Edit your Apache configuration file. This could be the default configuration file located at /etc/apache2/sites-available/000-default.conf or a custom configuration file. Add the ProxyPass directive to forward requests to your API. <VirtualHost *:443>
ServerName your-domain.com
# ... other configuration settings ...
ProxyPass /api http://localhost:3000/
ProxyPassReverse /api http://localhost:3000/
# Forward client's IP address
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}
RequestHeader set X-Real-IP %{REMOTE_ADDR}
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>Restart Apache: sudo systemctl restart apache2 |
|
solved by #2910 |
A possible solution that maintains best practice for CSRF protection while addressing some users issue where they have multilple origins that they consider trusted, could be to mirror https://docs.djangoproject.com/en/5.0/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS
Originally posted by @sixcolors in #2904 (review)
The text was updated successfully, but these errors were encountered: