Re: [Django] #34855: Document CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER.
Django
-------------------------------------+-------------------------------------
Reporter: jeroenmuller | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 4.2
Severity: Normal | Resolution: wontfix
Keywords: CSRF | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
I would be okay with adding documentation for this if it is a recurring
issue as long as it does not explicitly refer to `SECURE_PROXY_SSL_HEADER`
but is more like something along the lines of:
> If you are seeing CSRF failures on HTTPS sites, it might be possible
that your webserver/loadbalancer does not pass on the information that the
site is exposed via HTTPS. Please consult the documentation of your
webserver/loadbalancer on how to properly configure your site for HTTPS.
We could add "(this might include configuring `SECURE_PROXY_SSL_HEADER`)"
at the end.
--
Ticket URL: <https://code.djangoproject.com/ticket/34855#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: jeroenmuller | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 4.2
Severity: Normal | Resolution: wontfix
Keywords: CSRF | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
> When the CSRF origin check fails, the documentation points in the
direction of adding that origin to CSRF_ALLOWED_ORIGINS. However, as far
as I understand this should only be neccessary if there are actually
cross-origin requests.
I can second this:
The documentation recommends this, as does "the internet" (top-voted
answers on Stack Overflow), and pretty much everyone and their dog's blog.
Rarely is there any mention that setting this should in fact only be
required when you're doing anything cross-origin.
> Using SECURE_PROXY_SSL_HEADER must be an informed decision as it may
cause security issues.
Yes. But: adding random stuff to `CSRF_ALLOWED_ORIGINS` should also be an
informed decision.
I found it useful to instead push to understanding the problem before
proceeding, by getting
[https://github.com/bugsink/verbose_csrf_middleware/blob/main/README.md
more verbose error messages from your middleware]. Not the entire answer,
but yet another puzzle piece.
I'm not pushi
--
Ticket URL: <https://code.djangoproject.com/ticket/34855#comment:3>