CSRF Trusted Origins

[sixcolors]

A possible solution that maintains best practice for CSRF protection while addressing some users issue where they have multilple origins that they consider trusted, could be to mirror https://docs.djangoproject.com/en/5.0/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS

Originally posted by @sixcolors in #2904 (review)

[sixcolors]

One of the users, @sebytza23, faced a challenge with hosting both the backend and the client on the same server while enforcing HTTPS using Apache2 and Virtualmin for the front end. The issue arose because the user couldn’t use the same port (443) for the Apache2 client and the backend. To help, I suggested using Apache as a reverse proxy for the backend and provided specific configurations for the Apache module, along with ProxyPass directives. Additionally, I informed the user about the ongoing addition of TrustedOrigins to the CSRF middleware in gofiber.

For reference, for anyone else with a similar setup:

Enable Apache Modules:

sudo a2enmod proxy
sudo a2enmod proxy_http

Configure ProxyPass:

Edit your Apache configuration file. This could be the default configuration file located at /etc/apache2/sites-available/000-default.conf or a custom configuration file. Add the ProxyPass directive to forward requests to your API.

<VirtualHost *:443>
    ServerName your-domain.com

    # ... other configuration settings ...

    ProxyPass /api http://localhost:3000/
    ProxyPassReverse /api http://localhost:3000/
# Forward client's IP address
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}
    RequestHeader set X-Real-IP %{REMOTE_ADDR}
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

Restart Apache:

sudo systemctl restart apache2

[ReneWerner87]

solved by #2910