Adds SECURE_CSRF_ORIGINS setting (#194)

Better-HPC · Mar 3, 2024 · 99a74a9 · 99a74a9
1 parent f59d0a1
commit 99a74a9
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -105,6 +105,7 @@ sessions and require users to reauthenticate.
 | `SECURE_ALLOWED_HOSTS`    | `localhost,127.0.0.1`    | Comma-separated list of accepted host/domain names.           |
 | `SECURE_SSL_REDIRECT`     | `False`                  | Automatically redirect all HTTP traffic to HTTPS.             |
 | `SECURE_SESSION_TOKENS`   | `False`                  | Only issue session/CSRF tokens over secure connections.       |
+| `SECURE_CSRF_ORIGINS`     | `[]`                     | Domains (with protocol) to accept CSRF headers from.          |
 | `SECURE_HSTS_SECONDS`     | `0` (Disabled)           | HSTS cache duration in seconds.                               |
 | `SECURE_HSTS_SUBDOMAINS`  | `False`                  | Enable HSTS for subdomains.                                   |
 | `SECURE_HSTS_PRELOAD`     | `False`                  | Enable HSTS preload functionality.                            |

diff --git a/keystone_api/main/settings.py b/keystone_api/main/settings.py
@@ -31,6 +31,7 @@
 _SECURE_SESSION_TOKENS = env.bool("SECURE_SESSION_TOKENS", False)
 SESSION_COOKIE_SECURE = _SECURE_SESSION_TOKENS
 CSRF_COOKIE_SECURE = _SECURE_SESSION_TOKENS
+CSRF_TRUSTED_ORIGINS = env.list("SECURE_CSRF_ORIGINS", default=[])
 
 SECURE_SSL_REDIRECT = env.bool("SECURE_SSL_REDIRECT", False)
 SECURE_HSTS_PRELOAD = env.bool("SECURE_HSTS_PRELOAD", False)