Improve CSRF Origin checking messaging
A very common misconfiguration is for the
SECURE_PROXY_SSL_HEADER
setting to not be configured correctly. This causes the origin checks to fail, but the messaging leads folks like me to the CSRF_TRUSTED_ORIGINS
setting, which is not really what you want in this scenario. In some cases, like GitHub Codespaces, you may also need the USE_X_FORWARDED_HOST
setting as well.
I believe we can make some common scenarios easier to fix by improving our error messaging. Particularly in DEBUG
mode, we can show useful information about their headers and give a suggestion about what fix might be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
Change History
(9)
Cc: |
Carlton Gibson tim-schilling added
|
Triage Stage: |
Unreviewed → Accepted
|
Type: |
New feature → Cleanup/optimization
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Owner: |
changed from nobody to Ryan Hiebert
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Patch needs improvement: |
set
|
Accepting following the linked Forum discussion.