Django behind Apache and Traefik and CSRF

Question

I use Cookiecutter Django as a starter for my projects, and it uses Traefik (within a Docker container) to generate certificates using Let's Encrypt. However, my company mandates the use of Apache as the proxy for all servers, and the management of the Apache server is handled by another team.

To accommodate this, I disabled the Traefik certificate generation, made necessary configuration changes, etc. Everything was functioning correctly, except for the CORS protection. I encountered a 403 error on every POST request, and the log indicated the following warning:

WARNING 2024-02-09 08:49:15,953 log Forbidden (Origin checking failed - https://example.com does not match any trusted origins.): /accounts/login/

Upon investigating, I found that adding the setting CSRF_TRUSTED_ORIGINS solves my problem. Adding CSRF_TRUSTED_ORIGINS=https://example.com to my config file resolved the issue.

My question is: is this approach considered unsafe?

Answer 1

Yes adding CSRF_TRUSTED_ORIGINS to your config file is not safe.

The CSRF_TRUSTED_ORIGINS setting is used to specify a list of origins that are trusted to make cross-site requests to your Django application. By adding https://example.com here to your setting you are essentially telling Django to trust any request that comes from that particular domain.

This can be dangerous if you are careless because an attacker can create a malicious website that tricks users into submitting forms on your site.

It is best to avoid using CSRF_TRUSTED_ORIGINS unless you are absolutely sure that you want it. If you need to use it make sure to only add origins that you trust to your config file.