CSRF?

[io7m]

Hello.

On a new install behind an nginx TLS proxy, I'm seeing a CSRF error:

Forbidden (403)

CSRF verification failed. Request aborted.

Looking in the production environment file, I see this:

https://github.com/wger-project/docker/blob/ec159f0af9a49c8472fd58c6eddd81f0b15ee29e/config/prod.env#L13

There is no "deployment" section and nothing about CSRF in the documentation.

The X-Forwarded-Proto header is being set by nginx, but I'm not sure what the value of CSRF_TRUSTED_ORIGINS should be when running inside a podman container.

I'm in a trusted network. Is there a way to turn off CSRF?

[mreilaender]

See https://wger.readthedocs.io/en/latest/production/docker.html#csrf-errors

Settings CSRF_TRUSTED_ORIGINS to my public domain under which wger is served solves it for me