#35328: Improve CSRF Origin checking messaging
----------------------------------------+--------------------------
Reporter: Ryan Hiebert | Owner: nobody
Type: New feature | Status: assigned
Component: CSRF | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+--------------------------
A very common misconfiguration is for the
`SECURE_PROXY_SSL_HEADER` setting to not be configured correctly. This
causes the origin checks to fail, but the messaging leads folks like me to
the `CSRF_TRUSTED_ORIGINS` setting, which is not really what you want in
this scenario. In some cases, like GitHub Codespaces, you may also need
the `USE_X_FORWARDED_HOST` setting as well.
I believe we can make some common scenarios easier to fix by improving our
error messaging. Particularly in `DEBUG` mode, we can show useful
information about their headers and give a suggestion about what fix might
be appropriate.
https://forum.djangoproject.com/t/forwarded-headers-csrf-hints/28616
--
Ticket URL: <https://code.djangoproject.com/ticket/35328>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018e737ec8d9-d1b3dbb2-1a6b-4cc2-9960-88bf85058e29-000000%40eu-central-1.amazonses.com.
