From 607704d50483b9ee6feb8841d3b9f09084a2426b Mon Sep 17 00:00:00 2001 From: Ali Nawaz Date: Tue, 10 Sep 2024 00:15:51 +0500 Subject: [PATCH] fix: add setting variable to determine request scheme --- course_discovery/settings/production.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/course_discovery/settings/production.py b/course_discovery/settings/production.py index bb2c408853..44609c0bd0 100644 --- a/course_discovery/settings/production.py +++ b/course_discovery/settings/production.py @@ -94,3 +94,10 @@ k.lower(): (v.replace("\\n", "\n") if k.lower() == "private_key" else v) for (k, v) in GOOGLE_SERVICE_ACCOUNT_CREDENTIALS.items() } + +# IMPORTANT: With this enabled, the server must always be behind a proxy that +# strips the header X_FORWARDED_PROTO from client requests. Otherwise, +# a user can fool our server into thinking it was an https connection. +# See https://docs.djangoproject.com/en/5.1/ref/settings/#secure-proxy-ssl-header +# for other warnings. +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')