fix: csrf trusted origins

ocadotechnology · Jan 16, 2025 · a7306c4 · a7306c4
1 parent bd4745a
commit a7306c4
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/codeforlife/settings/django.py b/codeforlife/settings/django.py
@@ -11,7 +11,13 @@
 from django.utils.translation import gettext_lazy as _
 
 from ..types import JsonDict
-from .custom import ENV, SERVICE_BASE_DIR, SERVICE_BASE_URL, SERVICE_NAME
+from .custom import (
+    ENV,
+    SERVICE_BASE_DIR,
+    SERVICE_BASE_URL,
+    SERVICE_NAME,
+    SERVICE_SITE_URL,
+)
 from .otp import AWS_S3_APP_BUCKET, RDS_DB_DATA_PATH
 
 if t.TYPE_CHECKING:
@@ -155,6 +161,7 @@ def get_databases():
 
 CSRF_COOKIE_NAME = f"{SERVICE_NAME}_csrftoken"
 CSRF_COOKIE_DOMAIN = os.getenv("CSRF_COOKIE_DOMAIN", "localhost")
+CSRF_TRUSTED_ORIGINS = [SERVICE_SITE_URL]
 CSRF_COOKIE_SAMESITE = "Strict"
 CSRF_COOKIE_SECURE = True