Align Orign and Host header (#14970)

* Align Orign and Host header * Before this change the Host: header was runserver. Seems to be set by nginx upstream flow. * After this change we explicitly set the Host: header * More about CSRF checks ... CSRF checks that Origin == Host. Think about how the browser works. <browser goes to awx.com> "I'm executing javascript that I downloaded from awx.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header == Origin: header; OK! vs. the malicious case. <hacker injects javascript code into google.com> <browser goes to google.com> "I'm executing javascript that I downloaded from google.com (ORIGIN) and I'm making an XHR POST request to awx.com (HOST)" Server verifies; Host: header != Origin: header; NOT OK! * Update awx/settings/development.py --------- Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
2026-01-10 15:32:07 -03:30 · 2024-03-11 17:06:09 -04:00 · 2024-03-11 17:06:09 -04:00 · ad96a92fa7
commit ad96a92fa7
parent ca8085fe7e
2 changed files with 1 additions and 1 deletions
--- a/awx/settings/development.py
+++ b/awx/settings/development.py
@ -74,7 +74,6 @@ AWX_CALLBACK_PROFILE = True
 AWX_DISABLE_TASK_MANAGERS = False

 # Needed for launching runserver in debug mode
-CSRF_TRUSTED_ORIGINS = ["https://localhost:8043"]
 # ======================!!!!!!! FOR DEVELOPMENT ONLY !!!!!!!=================================

 # Store a snapshot of default settings at this point before loading any
--- a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
@ -46,4 +46,5 @@ location @fallback {
    # Add trailing / if missing
    rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
    proxy_pass http://runserver;
+    proxy_set_header Host $http_host;
 }