From 1ca2e22563b57b1bb34d4ffad3a8ae1e527f342d Mon Sep 17 00:00:00 2001
From: Matthew Lemon <y@yulqen.org>
Date: Wed, 24 Apr 2024 20:39:26 +0100
Subject: Another fix for CSRF and loginrequired middleware

---
 ded/settings.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'ded/settings.py')

diff --git a/ded/settings.py b/ded/settings.py
index b2b1da0..f9c3e8a 100644
--- a/ded/settings.py
+++ b/ded/settings.py
@@ -16,13 +16,18 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 
 # For staging (on OpenShift)
 # was getting 403, CSRF verification failed error
+# doesn't work
 CSRF_COOKIE_SECURE = True
 SESSION_COOKIE_SECURE = True
+CSRF_TRUSTED_ORIGINS = [
+    'https://*.apps.ocp1.azure.dso.digital.mod.uk',
+]
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
+# TODO Replace with environment variable
 SECRET_KEY = "django-insecure-z*tv24r*)-$q*l1=l64))qocs1x$*10c&6w_@ld^dw#=q#ndy2"
 
 # SECURITY WARNING: don't run with debug turned on in production!
-- 
cgit v1.2.3