[PR #597] [CLOSED] Enable Django setting CSRF_TRUSTED_SOURCES #997

New issue

Closed

opened 2026-02-26 00:30:22 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 00:30:22 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/healthchecks/healthchecks/pull/597
Author: @jormaj
Created: 1/13/2022
Status: ❌ Closed

Base: master ← Head: CSRF_TRUSTED_SOURCES

📝 Commits (2)

0da8c97 Enable Django setting CSRF_TRUSTED_SOURCES
28402db properly handle variable not set

📊 Changes

2 files changed (+4 additions, -0 deletions)

View changed files

📝 docker/.env (+1 -0)
📝 hc/settings.py (+3 -0)

📄 Description

On my dockerized setup (using an Nginx reverse proxy) I got CSRF errors since the move to Django 4 (also see https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins).
After some investiation I found out that this is caused by the fact that the proxy is ssl terminating (ie the proxy is reached through https), and the docker container is running on localhost (ie http).

The Django csrf check
looks at the scheme of the request, so there's a mismatch between the scheme + host and the origin (ie http:// vs https://).
A workaround is to use CSRF_TRUSTED_SOURCES and set the origin there as a trusted origin.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/healthchecks/healthchecks/pull/597 **Author:** [@jormaj](https://github.com/jormaj) **Created:** 1/13/2022 **Status:** ❌ Closed **Base:** `master` ← **Head:** `CSRF_TRUSTED_SOURCES` --- ### 📝 Commits (2) - [`0da8c97`](https://github.com/healthchecks/healthchecks/commit/0da8c9703fdd5a42bd60631eb144768244309364) Enable Django setting CSRF_TRUSTED_SOURCES - [`28402db`](https://github.com/healthchecks/healthchecks/commit/28402dbbc8fb32d8eac1cc7d1a83a7d689469368) properly handle variable not set ### 📊 Changes **2 files changed** (+4 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `docker/.env` (+1 -0) 📝 `hc/settings.py` (+3 -0) </details> ### 📄 Description On my dockerized setup (using an Nginx reverse proxy) I got CSRF errors since the move to Django 4 (also see https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins). After some investiation I found out that this is caused by the fact that the proxy is ssl terminating (ie the proxy is reached through https), and the docker container is running on localhost (ie http). The Django [csrf check](https://github.com/django/django/blob/3ff7f6cf07a722635d690785c31ac89484134bee/django/middleware/csrf.py#L275) looks at the scheme of the request, so there's a mismatch between the scheme + host and the origin (ie http:// vs https://). A workaround is to use CSRF_TRUSTED_SOURCES and set the origin there as a trusted origin. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>