.. index::
   pair: Django 4.0 ; Security



.. _django_4_0_security:

==========================================================
CSRF_TRUSTED_ORIGINS changes (Cross-site request forgery)
==========================================================

- https://en.wikipedia.org/wiki/Cross-site_request_forgery
- https://docs.djangoproject.com/en/dev/releases/4.0/#csrf-trusted-origins-changes
- https://docs.djangoproject.com/en/dev/ref/csrf/#how-it-works

Documentation
==============

- :ref:`tuto_secops:csrf`

Format change
====================

Values in the CSRF_TRUSTED_ORIGINS setting must include the scheme
(e.g. 'http://' or 'https://') instead of only the hostname.

Also, values that started with a dot, must now also include an asterisk
before the dot. For example, change '.example.com' to 'https://\*.example.com'.

A system check detects any required changes.


Configuring it may now be required
-------------------------------------

As CSRF protection now consults the Origin header, you may need to set
CSRF_TRUSTED_ORIGINS, particularly if you allow requests from subdomains
by setting CSRF_COOKIE_DOMAIN (or SESSION_COOKIE_DOMAIN if CSRF_USE_SESSIONS
is enabled) to a value starting with a dot.


Example::

    ALLOWED_HOSTS = [
        "localhost",
        "0.0.0.0",
        "intranet.srv.xxx.eu",
        "intranet-staging.srv.xxx.eu",
    ]
    # https://groups.google.com/g/django-developers/c/W_RiCsguaSU/?pli=1
    CSRF_TRUSTED_ORIGINS = [
        "http://0.0.0.0",
        "http://localhost",
        "https://intranet.srv.xxx.eu",
        "https://intranet-staging.srv.xxx.eu",
    ]