CSRF Failed when creating projects through ngrok on Windows + WSL 2 (Django not reading DJANGO_CSRF_TRUSTED_ORIGINS)

[roundspecs]

Hi everyone 👋 

I’m trying to self‑host CVAT locally and make it accessible via ngrok, but I can’t get past a CSRF Failed: Origin checking failed error when creating a project.
Despite setting DJANGO_CSRF_TRUSTED_ORIGINS, Django inside cvat_server always shows an empty list [].

Environment

• Windows 11 Pro
• Ubuntu 22.04 via WSL 2
• Docker Desktop v27 (WSL integration enabled)
• CVAT cloned from the official cvat-ai/cvat repo (latest develop branch)

What I tried

1. CVAT works fine at http://localhost:8080.
2. Exposed it securely with:

   ngrok http 8080 --host-header="localhost:8080"

   → works for login and navigation.
3. But when creating a project, I get:

   CSRF Failed: Origin checking failed - https://<random>.ngrok-free.app does not match any trusted origins.
   

4. Tried adding trusted origins in multiple ways:
   • .env:

     DJANGO_CSRF_TRUSTED_ORIGINS=https://*.ngrok-free.app,https://*.ngrok.app
     

   • docker-compose.override.yml:

     services:
       cvat_server:
         environment:
           DJANGO_CSRF_TRUSTED_ORIGINS: "https://*.ngrok-free.app,https://*.ngrok.app"

   • CVAT_DJANGO_CSRF_TRUSTED_ORIGINS variant
   • Inline:

     DJANGO_CSRF_TRUSTED_ORIGINS="https://*.ngrok-free.app,https://*.ngrok.app" docker compose up -d

5. In all cases, running inside the container shows:

   docker exec -it cvat_server python3 manage.py shell -c \
     "from django.conf import settings; print(settings.CSRF_TRUSTED_ORIGINS)"
   []

   → Django ignores the variable completely.
6. Also tried editing cvat/cvat/settings/base.py manually with:

   ...
   CSRF_TRUSTED_ORIGINS = ["https://*.ngrok-free.app", "https://*.ngrok.app"]

   but that file doesn’t seem to load automatically on container restart.

Questions

1. What is the correct way to define CSRF_TRUSTED_ORIGINS so Django inside CVAT actually respects it?
2. Is there a Compose or environment‑variable naming pattern that CVAT’s entrypoint recognizes for Django settings?
3. Any simpler method people use to expose CVAT securely (ngrok, Cloudflare Tunnel, etc.) while avoiding CSRF rejections?

Thanks so much for reading — I’ve been stuck on this one issue for a while 🙏