From 139d79b2e63d3d6a03c39ac3cfcd620fbb97d961 Mon Sep 17 00:00:00 2001 From: Luc Date: Wed, 8 Dec 2021 10:56:06 +0100 Subject: [PATCH] Introduce extra security for x-forwarded-host header I think this secures the website even more by also checking the x-forwarded-host header for every request. This is an addition to the previous commit --- tubesync/tubesync/local_settings.py.container | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tubesync/tubesync/local_settings.py.container b/tubesync/tubesync/local_settings.py.container index ac75508..a428dc0 100644 --- a/tubesync/tubesync/local_settings.py.container +++ b/tubesync/tubesync/local_settings.py.container @@ -19,6 +19,11 @@ CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS_STR.split(',') ALLOWED_HOSTS = [127.0.0.1] +if len(ALLOWED_HOSTS_STR) > 0: + USE_X_FORWARDED_HOST = True + ALLOWED_HOSTS += CSRF_TRUSTED_ORIGINS + + DEBUG = True if os.getenv('TUBESYNC_DEBUG', False) else False FORCE_SCRIPT_NAME = os.getenv('DJANGO_FORCE_SCRIPT_NAME', None) TIME_ZONE = os.getenv('TZ', 'UTC')