From 7e6e7376cf0893450ea38b2071a6c6a590eb61a8 Mon Sep 17 00:00:00 2001 From: zawan-ila <87228907+zawan-ila@users.noreply.github.com> Date: Tue, 10 Sep 2024 16:12:33 +0500 Subject: [PATCH] fix: add setting variable to determine request scheme (#4438) --- course_discovery/settings/production.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/course_discovery/settings/production.py b/course_discovery/settings/production.py index bb2c408853..44609c0bd0 100644 --- a/course_discovery/settings/production.py +++ b/course_discovery/settings/production.py @@ -94,3 +94,10 @@ k.lower(): (v.replace("\\n", "\n") if k.lower() == "private_key" else v) for (k, v) in GOOGLE_SERVICE_ACCOUNT_CREDENTIALS.items() } + +# IMPORTANT: With this enabled, the server must always be behind a proxy that +# strips the header X_FORWARDED_PROTO from client requests. Otherwise, +# a user can fool our server into thinking it was an https connection. +# See https://docs.djangoproject.com/en/5.1/ref/settings/#secure-proxy-ssl-header +# for other warnings. +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')