commit 0f5a442ed7dfb4358742df74ccc8654c17f411b3 parent 02f70ebfbe687b809f21d205108d3e05d6fa33f6 Author: Marcello Stanisci <stanisci.m@gmail.com> Date: Mon, 26 Nov 2018 19:13:09 +0100 Fake Referer:-header from Nginx. Diffstat:
| M | etc/nginx/uwsgi_params | | | 8 | ++++++++ |
1 file changed, 8 insertions(+), 0 deletions(-)
diff --git a/etc/nginx/uwsgi_params b/etc/nginx/uwsgi_params @@ -15,3 +15,11 @@ uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; + +# fake HTTP Referer:-header. This is allowed since +# all Taler sites run under HTTPS, and so that extra +# check on the Referer:-header required by Django is +# overkill. Link below has full story. +# https://security.stackexchange.com/questions/96114/why-is-referer-checking-needed-for-django-to-prevent-csrf + +uwsgi_param HTTP_REFERER $scheme://$host;