#35328: Improve CSRF Origin checking messaging
----------------------------------------+--------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: New feature | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+--------------------------
A very common misconfiguration is for the
`SECURE_PROXY_SSL_HEADER` setting to not be configured correctly. This
causes the origin checks to fail, but the messaging leads folks like me to
the `CSRF_TRUSTED_ORIGINS` setting, which is not really what you want in
this scenario. In some cases, like GitHub Codespaces, you may also need
the `USE_X_FORWARDED_HOST` setting as well.
I believe we can make some common scenarios easier to fix by improving our
error messaging. Particularly in `DEBUG` mode, we can show useful
information about their headers and give a suggestion about what fix might
be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
--
Ticket URL: <https://code.djangoproject.com/ticket/35328>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018e737ec8d9-d1b3dbb2-1a6b-4cc2-9960-88bf85058e29-000000%40eu-central-1.amazonses.com.
