CSRF errors when using custom domains but not when using azure default domain

[Dan Martinez]

Deployed as web app in Azure and added my custom purchased (namecheap.com) domain name, lets call it 'i-heart-java.com'. I added the custom domain URL into the ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS lists, both as https and http, including with extra 'www.' entries. App pulls up successfully on those URL's and my page works for the most part, except when logging into any part of the app VIA MY CUSTOM DOMAIN, otherwise login works fine with the azure default domain. Error shows:

2024-09-24T14:24:35.1649753Z Forbidden (Origin checking failed - https://www.mydomain.com does not match any trusted origins.): /admin/login/

Followed the documentation and have searched this issue to find I am (so far) the only one encountering it. My Settings file details are below and I have tried to mix and match these related Booleans with no luck:

ALLOWED_HOSTS = [
    'https://127.0.0.1:8000',
    '127.0.0.1',
    'https://mydomain-XXX.eastus-0X.azurewebsites.net/,  # <- Azure default domain (logins work with no csrf errors here)
    "http://mydomain.com",
    'https://mydomain.com',
    "http://www.mydomain.com",
    'https://www.mydomain.com,
    ..others..,
]

SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = False
CORS_ALLOW_ALL_ORIGINS = True
CSRF_COOKIE_SECURE	= True
CSRF_COOKIE_HTTPONLY	= True
CSRF_USE_SESSIONS	= True
SESSION_COOKIE_DOMAIN = '.charotte100.com'
SESSION_COOKIE_SECURE = True

CSRF_TRUSTED_ORIGINS=[
    "https://mydomain.com",
    "http://mydomain.com",
    "https://www.mydomain.com",
    "http://www.mydomain.com",
    ..others..,
]

I am not using any reverse proxy like Nginx and have the bog standard CSRF middle ware installed and am running via the standard gunicorn app command. Can anyone shed any light on whether this is a possible Django issue or if my configuration is correct or if this is possibly a custom domain DNS issue?

[Tim Graham]

See TicketClosingReasons/UseSupportChannels for ways to get help.