From 0f5a442ed7dfb4358742df74ccc8654c17f411b3 Mon Sep 17 00:00:00 2001
From: Marcello Stanisci <stanisci.m@gmail.com>
Date: Mon, 26 Nov 2018 19:13:09 +0100
Subject: Fake Referer:-header from Nginx.

---
 etc/nginx/uwsgi_params | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'etc/nginx/uwsgi_params')

diff --git a/etc/nginx/uwsgi_params b/etc/nginx/uwsgi_params
index 09c732c..3c01f66 100644
--- a/etc/nginx/uwsgi_params
+++ b/etc/nginx/uwsgi_params
@@ -15,3 +15,11 @@ uwsgi_param  REMOTE_ADDR        $remote_addr;
 uwsgi_param  REMOTE_PORT        $remote_port;
 uwsgi_param  SERVER_PORT        $server_port;
 uwsgi_param  SERVER_NAME        $server_name;
+
+# fake HTTP Referer:-header.  This is allowed since
+# all Taler sites run under HTTPS, and so that extra
+# check on the Referer:-header required by Django is
+# overkill.  Link below has full story.
+# https://security.stackexchange.com/questions/96114/why-is-referer-checking-needed-for-django-to-prevent-csrf
+
+uwsgi_param  HTTP_REFERER       $scheme://$host;
-- 
cgit v1.2.3