From 988a8826ea8a4a132aa073985a39e9319772fee1 Mon Sep 17 00:00:00 2001 From: Kira Miller <31229189+kiram15@users.noreply.github.com> Date: Thu, 1 Aug 2024 14:03:24 -0600 Subject: [PATCH] fix: adding production variable for https (#896) Co-authored-by: Ubuntu --- enterprise_catalog/settings/production.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/enterprise_catalog/settings/production.py b/enterprise_catalog/settings/production.py index 472339fed..4a4058bea 100644 --- a/enterprise_catalog/settings/production.py +++ b/enterprise_catalog/settings/production.py @@ -9,6 +9,14 @@ DEBUG = False TEMPLATE_DEBUG = DEBUG +# IMPORTANT: With this enabled, the server must always be behind a proxy that +# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise, +# a user can fool our server into thinking it was an https connection. +# See +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header +# for other warnings. +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + ALLOWED_HOSTS = ['*'] LOGGING = get_logger_config()