Opened 6 weeks ago
Last modified 8 days ago
#35328 assigned Cleanup/optimization
Improve CSRF Origin checking messaging
| Reported by: | Ryan Hiebert | Owned by: | Ryan Hiebert |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Carlton Gibson, tim-schilling | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
A very common misconfiguration is for the
SECURE_PROXY_SSL_HEADER setting to not be configured correctly. This causes the origin checks to fail, but the messaging leads folks like me to the CSRF_TRUSTED_ORIGINS setting, which is not really what you want in this scenario. In some cases, like GitHub Codespaces, you may also need the USE_X_FORWARDED_HOST setting as well.
I believe we can make some common scenarios easier to fix by improving our error messaging. Particularly in DEBUG mode, we can show useful information about their headers and give a suggestion about what fix might be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
Change History (5)
comment:1 by , 6 weeks ago
| Cc: | added |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | New feature → Cleanup/optimization |
comment:2 by , 6 weeks ago
| Patch needs improvement: | set |
|---|
comment:3 by , 5 weeks ago
| Patch needs improvement: | unset |
|---|
comment:4 by , 4 weeks ago
| Owner: | changed from to |
|---|
comment:5 by , 8 days ago
| Patch needs improvement: | set |
|---|
Note:
See TracTickets
for help on using tickets.
Accepting following the linked Forum discussion.