diff options
author | Marcello Stanisci <stanisci.m@gmail.com> | 2018-11-26 19:13:09 +0100 |
---|---|---|
committer | Marcello Stanisci <stanisci.m@gmail.com> | 2018-11-26 19:13:43 +0100 |
commit | 0f5a442ed7dfb4358742df74ccc8654c17f411b3 (patch) | |
tree | 80d3570e860ee1781cf487764af483d4d6d21960 /etc/nginx/uwsgi_params | |
parent | 02f70ebfbe687b809f21d205108d3e05d6fa33f6 (diff) | |
download | deployment-0f5a442ed7dfb4358742df74ccc8654c17f411b3.tar.gz deployment-0f5a442ed7dfb4358742df74ccc8654c17f411b3.tar.bz2 deployment-0f5a442ed7dfb4358742df74ccc8654c17f411b3.zip |
Fake Referer:-header from Nginx.
Diffstat (limited to 'etc/nginx/uwsgi_params')
-rw-r--r-- | etc/nginx/uwsgi_params | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/etc/nginx/uwsgi_params b/etc/nginx/uwsgi_params index 09c732c..3c01f66 100644 --- a/etc/nginx/uwsgi_params +++ b/etc/nginx/uwsgi_params @@ -15,3 +15,11 @@ uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; + +# fake HTTP Referer:-header. This is allowed since +# all Taler sites run under HTTPS, and so that extra +# check on the Referer:-header required by Django is +# overkill. Link below has full story. +# https://security.stackexchange.com/questions/96114/why-is-referer-checking-needed-for-django-to-prevent-csrf + +uwsgi_param HTTP_REFERER $scheme://$host; |