Fixed #593: Add some docs for TAKAHE_CSRF_HOSTS

This commit is contained in:
Andrew Godwin 2023-07-02 20:41:38 +01:00
parent a8b31e9f6a
commit 82a9c18205
2 changed files with 13 additions and 1 deletions

View file

@ -15,7 +15,7 @@ x-takahe-common:
TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe" TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe"
TAKAHE_DEBUG: "true" TAKAHE_DEBUG: "true"
TAKAHE_SECRET_KEY: "insecure_secret" TAKAHE_SECRET_KEY: "insecure_secret"
TAKAHE_CSRF_TRUSTED_ORIGINS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]' TAKAHE_CSRF_HOSTS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
TAKAHE_USE_PROXY_HEADERS: "true" TAKAHE_USE_PROXY_HEADERS: "true"
TAKAHE_EMAIL_BACKEND: "console://console" TAKAHE_EMAIL_BACKEND: "console://console"
TAKAHE_MAIN_DOMAIN: "example.com" TAKAHE_MAIN_DOMAIN: "example.com"

View file

@ -122,6 +122,18 @@ be provided to the containers from the first boot.
There are some other, optional variables you can tweak once the There are some other, optional variables you can tweak once the
system is up and working - see :doc:`tuning` for more. system is up and working - see :doc:`tuning` for more.
If you are behind a caching proxy, such as Cloudflare, you may need to update
your CSRF host settings to match. Takahē validates that requests have an
Origin header that matches their Referer header by default, and these services
can break that relationship.
Takahē lets you set this up via the ``TAKAHE_CSRF_HOSTS`` environment variable, which takes
a Python-list-formatted list of additional protocols/domains to allow, with wildcards. It feeds
directly into Django's `CSRF_TRUSTED_ORIGINS <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_
setting, so for more information about how to use it, see `the Django documentation <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_ - generally, you'd want to set it to
your website's public address, so for our server it would have been
``TAKAHE_CSRF_HOSTS='["https://takahe.social"]'``.
.. _media_configuration: .. _media_configuration: