#35328: Improve CSRF Origin checking messaging ----------------------------------------+-------------------------- Reporter: Ryan Hiebert | Owner: nobody Type: New feature | Status: assigned Component: CSRF | Version: dev Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 1 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ----------------------------------------+-------------------------- A very common misconfiguration is for the `SECURE_PROXY_SSL_HEADER` setting to not be configured correctly. This causes the origin checks to fail, but the messaging leads folks like me to the `CSRF_TRUSTED_ORIGINS` setting, which is not really what you want in this scenario. In some cases, like GitHub Codespaces, you may also need the `USE_X_FORWARDED_HOST` setting as well.
I believe we can make some common scenarios easier to fix by improving our error messaging. Particularly in `DEBUG` mode, we can show useful information about their headers and give a suggestion about what fix might be appropriate. https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616 -- Ticket URL: <https://code.djangoproject.com/ticket/35328> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018e737ec8d9-d1b3dbb2-1a6b-4cc2-9960-88bf85058e29-000000%40eu-central-1.amazonses.com.