From 82a9c18205b089567b14845ae2437f01d4a58a12 Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Sun, 2 Jul 2023 20:41:38 +0100 Subject: [PATCH] Fixed #593: Add some docs for TAKAHE_CSRF_HOSTS --- docker/docker-compose.yml | 2 +- docs/installation.rst | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 0ae9180..2d99887 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -15,7 +15,7 @@ x-takahe-common: TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe" TAKAHE_DEBUG: "true" TAKAHE_SECRET_KEY: "insecure_secret" - TAKAHE_CSRF_TRUSTED_ORIGINS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]' + TAKAHE_CSRF_HOSTS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]' TAKAHE_USE_PROXY_HEADERS: "true" TAKAHE_EMAIL_BACKEND: "console://console" TAKAHE_MAIN_DOMAIN: "example.com" diff --git a/docs/installation.rst b/docs/installation.rst index a8069f3..7c06bbb 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -122,6 +122,18 @@ be provided to the containers from the first boot. There are some other, optional variables you can tweak once the system is up and working - see :doc:`tuning` for more. +If you are behind a caching proxy, such as Cloudflare, you may need to update +your CSRF host settings to match. Takahē validates that requests have an +Origin header that matches their Referer header by default, and these services +can break that relationship. + +Takahē lets you set this up via the ``TAKAHE_CSRF_HOSTS`` environment variable, which takes +a Python-list-formatted list of additional protocols/domains to allow, with wildcards. It feeds +directly into Django's `CSRF_TRUSTED_ORIGINS `_ +setting, so for more information about how to use it, see `the Django documentation `_ - generally, you'd want to set it to +your website's public address, so for our server it would have been +``TAKAHE_CSRF_HOSTS='["https://takahe.social"]'``. + .. _media_configuration: