CSRF_TRUSTED_ORIGINS changes (Cross-site request forgery)

• https://en.wikipedia.org/wiki/Cross-site_request_forgery

• https://docs.djangoproject.com/en/dev/releases/4.0/#csrf-trusted-origins-changes

• https://docs.djangoproject.com/en/dev/ref/csrf/#how-it-works

Documentation

• CSRF Cross-site request forgery, (sometimes pronounced sea-surf)

Format change

Values in the CSRF_TRUSTED_ORIGINS setting must include the scheme (e.g. ‘ http:// ’ or ‘ https:// ’) instead of only the hostname.

Also, values that started with a dot, must now also include an asterisk before the dot. For example, change ‘.example.com’ to ‘ https://*.example.com ’.

A system check detects any required changes.

Configuring it may now be required

As CSRF protection now consults the Origin header, you may need to set CSRF_TRUSTED_ORIGINS, particularly if you allow requests from subdomains by setting CSRF_COOKIE_DOMAIN (or SESSION_COOKIE_DOMAIN if CSRF_USE_SESSIONS is enabled) to a value starting with a dot.

Example:

ALLOWED_HOSTS = [
    "localhost",
    "0.0.0.0",
    "intranet.srv.xxx.eu",
    "intranet-staging.srv.xxx.eu",
]
# https://groups.google.com/g/django-developers/c/W_RiCsguaSU/?pli=1
CSRF_TRUSTED_ORIGINS = [
    "http://0.0.0.0",
    "http://localhost",
    "https://intranet.srv.xxx.eu",
    "https://intranet-staging.srv.xxx.eu",
]