Skip to content

Commit 9a97472

Browse files
glasntleahecole
glasnt
and
leahecole
authored
Add django CSRF setting (GoogleCloudPlatform#7412)
* Add django CSRF setting * lint Co-authored-by: Leah E. Cole <6719667+leahecole@users.noreply.github.com>
1 parent 4ef3f72 commit 9a97472

File tree

3 files changed

+33
-7
lines changed

3 files changed

+33
-7
lines changed

appengine/standard_python3/django/app.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,10 @@
1818
# [START gaestd_py_django_app_yaml]
1919
runtime: python39
2020

21+
env_variables:
22+
# This setting is used in settings.py to configure your ALLOWED_HOSTS
23+
# APPENGINE_URL: https://PROJECT_ID.uc.r.appspot.com
24+
2125
handlers:
2226
# This configures Google App Engine to serve the files in the app's static
2327
# directory.

appengine/standard_python3/django/mysite/settings.py

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414

1515
import io
1616
import os
17+
from urllib.parse import urlparse
1718

1819
import environ
1920
from google.cloud import secretmanager
@@ -59,10 +60,22 @@
5960
# Change this to "False" when you are ready for production
6061
DEBUG = env("DEBUG")
6162

62-
# SECURITY WARNING: App Engine's security features ensure that it is safe to
63-
# have ALLOWED_HOSTS = ['*'] when the app is deployed. If you deploy a Django
64-
# app not on App Engine, make sure to set an appropriate host here.
65-
ALLOWED_HOSTS = ["*"]
63+
64+
# [START gaestd_py_django_csrf]
65+
# SECURITY WARNING: It's recommended that you use this when
66+
# running in production. The URL will be known once you first deploy
67+
# to App Engine. This code takes the URL and converts it to both these settings formats.
68+
APPENGINE_URL = env("APPENGINE_URL", default=None)
69+
if APPENGINE_URL:
70+
# Ensure the HTTPS is in the URL before it's used.
71+
APPENGINE_URL = urlparse(APPENGINE_URL, "https").geturl()
72+
73+
ALLOWED_HOSTS = [APPENGINE_URL]
74+
CSRF_TRUSTED_ORIGINS = [urlparse(APPENGINE_URL).netloc]
75+
SECURE_SSL_REDIRECT = True
76+
else:
77+
ALLOWED_HOSTS = ["*"]
78+
# [END gaestd_py_django_csrf]
6679

6780
# Application definition
6881

run/django/mysite/settings.py

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414

1515
import io
1616
import os
17+
from urllib.parse import urlparse
1718

1819
import environ
1920
import google.auth
@@ -65,10 +66,18 @@
6566

6667
DEBUG = env("DEBUG")
6768

68-
# SECURITY WARNING: It's recommended that you change this setting when
69+
# [START cloudrun_django_csrf]
70+
# SECURITY WARNING: It's recommended that you use this when
6971
# running in production. The URL will be known once you first deploy
70-
# to Cloud Run.
71-
ALLOWED_HOSTS = ["*"]
72+
# to Cloud Run. This code takes the URL and converts it to both these settings formats.
73+
CLOUDRUN_SERVICE_URL = env("CLOUDRUN_SERVICE_URL", default=None)
74+
if CLOUDRUN_SERVICE_URL:
75+
ALLOWED_HOSTS = [urlparse(CLOUDRUN_SERVICE_URL).netloc]
76+
CSRF_TRUSTED_ORIGINS = [CLOUDRUN_SERVICE_URL]
77+
SECURE_SSL_REDIRECT = True
78+
else:
79+
ALLOWED_HOSTS = ["*"]
80+
# [END cloudrun_django_csrf]
7281

7382
# Application definition
7483

0 commit comments

Comments
 (0)