mirror of
https://github.com/jointakahe/takahe.git
synced 2024-12-25 23:00:29 +00:00
Fixed #593: Add some docs for TAKAHE_CSRF_HOSTS
This commit is contained in:
parent
a8b31e9f6a
commit
82a9c18205
2 changed files with 13 additions and 1 deletions
|
@ -15,7 +15,7 @@ x-takahe-common:
|
|||
TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe"
|
||||
TAKAHE_DEBUG: "true"
|
||||
TAKAHE_SECRET_KEY: "insecure_secret"
|
||||
TAKAHE_CSRF_TRUSTED_ORIGINS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
|
||||
TAKAHE_CSRF_HOSTS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
|
||||
TAKAHE_USE_PROXY_HEADERS: "true"
|
||||
TAKAHE_EMAIL_BACKEND: "console://console"
|
||||
TAKAHE_MAIN_DOMAIN: "example.com"
|
||||
|
|
|
@ -122,6 +122,18 @@ be provided to the containers from the first boot.
|
|||
There are some other, optional variables you can tweak once the
|
||||
system is up and working - see :doc:`tuning` for more.
|
||||
|
||||
If you are behind a caching proxy, such as Cloudflare, you may need to update
|
||||
your CSRF host settings to match. Takahē validates that requests have an
|
||||
Origin header that matches their Referer header by default, and these services
|
||||
can break that relationship.
|
||||
|
||||
Takahē lets you set this up via the ``TAKAHE_CSRF_HOSTS`` environment variable, which takes
|
||||
a Python-list-formatted list of additional protocols/domains to allow, with wildcards. It feeds
|
||||
directly into Django's `CSRF_TRUSTED_ORIGINS <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_
|
||||
setting, so for more information about how to use it, see `the Django documentation <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_ - generally, you'd want to set it to
|
||||
your website's public address, so for our server it would have been
|
||||
``TAKAHE_CSRF_HOSTS='["https://takahe.social"]'``.
|
||||
|
||||
|
||||
.. _media_configuration:
|
||||
|
||||
|
|
Loading…
Reference in a new issue