Fixed #593: Add some docs for TAKAHE_CSRF_HOSTS

2023-07-02 20:41:38 +01:00 · 2023-07-02 20:41:38 +01:00 · 82a9c18205
parent a8b31e9f6a
commit 82a9c18205
2 changed files with 13 additions and 1 deletions
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -15,7 +15,7 @@ x-takahe-common:
      TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe"
      TAKAHE_DEBUG: "true"
      TAKAHE_SECRET_KEY: "insecure_secret"
-      TAKAHE_CSRF_TRUSTED_ORIGINS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
+      TAKAHE_CSRF_HOSTS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
      TAKAHE_USE_PROXY_HEADERS: "true"
      TAKAHE_EMAIL_BACKEND: "console://console"
      TAKAHE_MAIN_DOMAIN: "example.com"
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -122,6 +122,18 @@ be provided to the containers from the first boot.
 There are some other, optional variables you can tweak once the
 system is up and working - see :doc:`tuning` for more.

+If you are behind a caching proxy, such as Cloudflare, you may need to update
+your CSRF host settings to match. Takahē validates that requests have an
+Origin header that matches their Referer header by default, and these services
+can break that relationship.
+
+Takahē lets you set this up via the ``TAKAHE_CSRF_HOSTS`` environment variable, which takes
+a Python-list-formatted list of additional protocols/domains to allow, with wildcards. It feeds
+directly into Django's `CSRF_TRUSTED_ORIGINS <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_
+setting, so for more information about how to use it, see `the Django documentation <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_ - generally, you'd want to set it to
+your website's public address, so for our server it would have been
+``TAKAHE_CSRF_HOSTS='["https://takahe.social"]'``.
+

 .. _media_configuration: