CSRF_TRUSTED_ORIGINS changes (Cross-site request forgery) ¶
-
https://docs.djangoproject.com/en/dev/releases/4.0/#csrf-trusted-origins-changes
-
https://docs.djangoproject.com/en/dev/ref/csrf/#how-it-works
Documentation ¶
Format change ¶
Values in the CSRF_TRUSTED_ORIGINS setting must include the scheme (e.g. ‘ http:// ’ or ‘ https:// ’) instead of only the hostname.
Also, values that started with a dot, must now also include an asterisk before the dot. For example, change ‘.example.com’ to ‘ https://*.example.com ’.
A system check detects any required changes.
Configuring it may now be required ¶
As CSRF protection now consults the Origin header, you may need to set CSRF_TRUSTED_ORIGINS, particularly if you allow requests from subdomains by setting CSRF_COOKIE_DOMAIN (or SESSION_COOKIE_DOMAIN if CSRF_USE_SESSIONS is enabled) to a value starting with a dot.
Example:
ALLOWED_HOSTS = [
"localhost",
"0.0.0.0",
"intranet.srv.xxx.eu",
"intranet-staging.srv.xxx.eu",
]
# https://groups.google.com/g/django-developers/c/W_RiCsguaSU/?pli=1
CSRF_TRUSTED_ORIGINS = [
"http://0.0.0.0",
"http://localhost",
"https://intranet.srv.xxx.eu",
"https://intranet-staging.srv.xxx.eu",
]