mirror of https://github.com/snachodog/mybuddy.git
64 lines
2.0 KiB
Markdown
64 lines
2.0 KiB
Markdown
# Security
|
|
|
|
## `ALLOWED_HOSTS`
|
|
|
|
*Default:* `*` (any host)
|
|
|
|
Set this variable to a single host or comma-separated list of hosts without spaces.
|
|
This should *always* be set to a specific host or hosts in production deployments.
|
|
|
|
Do not include schemes ("http" or "https") with this setting.
|
|
|
|
**Example value**
|
|
|
|
baby.example.test,baby.example2.test
|
|
|
|
**See also**
|
|
|
|
- [Django's documentation on the ALLOWED_HOSTS setting](https://docs.djangoproject.com/en/4.0/ref/settings/#allowed-hosts)
|
|
- [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
|
|
- [`SECURE_PROXY_SSL_HEADER`](#secure_proxy_ssl_header)
|
|
|
|
## `CSRF_TRUSTED_ORIGINS`
|
|
|
|
*Default:* `None`
|
|
|
|
If Baby Buddy is behind a proxy, you may need add all possible origins to this setting
|
|
for form submission to work correctly. Separate multiple origins with commas.
|
|
|
|
Each entry must contain both the scheme (http, https) and fully-qualified domain name.
|
|
|
|
**Example value**
|
|
|
|
https://baby.example.test,http://baby.example2.test,http://babybudy
|
|
|
|
**See also**
|
|
|
|
- [Django's documentation on the `CSRF_TRUSTED_ORIGINS` setting](https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-CSRF_TRUSTED_ORIGINS)
|
|
- [`ALLOWED_HOSTS`](#allowed_hosts)
|
|
- [`SECURE_PROXY_SSL_HEADER`](#secure_proxy_ssl_header)
|
|
|
|
## `SECRET_KEY`
|
|
|
|
*Default:* `None`
|
|
|
|
A random, unique string must be set as the "secret key" before Baby Buddy can
|
|
be deployed and run.
|
|
|
|
See also [Django's documentation on the SECRET_KEY setting](https://docs.djangoproject.com/en/4.0/ref/settings/#secret-key).
|
|
|
|
## `SECURE_PROXY_SSL_HEADER`
|
|
|
|
*Default:* `None`
|
|
|
|
If Baby Buddy is behind a proxy, you may need to set this to `True` in order to
|
|
trust the `X-Forwarded-Proto` header that comes from your proxy, and any time
|
|
its value is "https". This guarantees the request is secure (i.e., it originally
|
|
came in via HTTPS).
|
|
|
|
**See also**
|
|
|
|
- [Django's documentation on the SECURE_PROXY_SSL_HEADER setting](https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header)
|
|
- [`ALLOWED_HOSTS`](#allowed_hosts)
|
|
- [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
|