CSRF_TRUSTED_ORIGINS changes (Cross-site request forgery)


Format change

Values in the CSRF_TRUSTED_ORIGINS setting must include the scheme (e.g. ‘ http:// ’ or ‘ https:// ’) instead of only the hostname.

Also, values that started with a dot, must now also include an asterisk before the dot. For example, change ‘.example.com’ to ‘ https://*.example.com ’.

A system check detects any required changes.

Configuring it may now be required

As CSRF protection now consults the Origin header, you may need to set CSRF_TRUSTED_ORIGINS, particularly if you allow requests from subdomains by setting CSRF_COOKIE_DOMAIN (or SESSION_COOKIE_DOMAIN if CSRF_USE_SESSIONS is enabled) to a value starting with a dot.


# https://groups.google.com/g/django-developers/c/W_RiCsguaSU/?pli=1