2026-05-08 14:26:48 +02:00
|
|
|
from decouple import config
|
|
|
|
|
|
|
|
|
|
from .base import * # noqa: F401, F403
|
|
|
|
|
|
|
|
|
|
DEBUG = False
|
|
|
|
|
ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='').split(',')
|
|
|
|
|
|
2026-05-22 02:02:42 +02:00
|
|
|
# Behind traefik (TLS terminated at the proxy). Without these, Django sees the
|
|
|
|
|
# request as plain HTTP and rejects the browser's https:// Origin on every POST
|
|
|
|
|
# with a CSRF failure (403) — the request never reaches the view, so saves fail
|
|
|
|
|
# silently and the DB stays empty. The deployment already injects
|
|
|
|
|
# CSRF_TRUSTED_ORIGINS via env; this reads it.
|
|
|
|
|
CSRF_TRUSTED_ORIGINS = [
|
|
|
|
|
o for o in config('CSRF_TRUSTED_ORIGINS', default='').split(',') if o
|
|
|
|
|
]
|
|
|
|
|
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
|
|
|
|
|
2026-05-08 14:26:48 +02:00
|
|
|
STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
|
|
|
|
|
|
|
|
|
|
SECURE_BROWSER_XSS_FILTER = True
|
|
|
|
|
SECURE_CONTENT_TYPE_NOSNIFF = True
|
|
|
|
|
SECURE_HSTS_SECONDS = 31536000
|
|
|
|
|
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
|
|
|
|
|
SESSION_COOKIE_SECURE = True
|
|
|
|
|
CSRF_COOKIE_SECURE = True
|