Proxy HTTPS Settings

I recently upgraded from a free instance to a starter instance web service. Once I redeployed my Django application, I started getting 403 CSRF origin check failures.

After doing a little research I found two resources:

• python - Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed does not match any trusted origins - Stack Overflow
• Settings | Django documentation | Django

These lead me to adding a new configuration to my Django config:
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

After making this change, my application works as expected. However, I would like to confirm the proxy setup (as hinted in the Django documentation) due to this being a security configuration.

1. Is this behavior expected from Render? Once upgrading the web service instance, is the application now behind a proxy?
2. Does the proxy strip the X-Forwarded-Proto header from all incoming requests, even when it contains a comma-separated list of protocols?
3. Does the proxy set the X-Forwarded-Proto header and send it to the application, but only for requests that originally come in via HTTPS?

Thanks!

Hi there,

Render will redirect any requests made to your service to HTTPS. However, SSL is terminated in our proxy layer; this means the actual protocol used when making a request to your service will be plain HTTP. To let your service know that the request was actually made using SSL/HTTPS and is secure, our proxy will set X-Forwarded-Proto to https.

So answer the is yes to all your questions.

Regards,

Keith
Render Support, UTC+10

Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.