From d5b1d9ce39ea0b78dff78b1118c35ba662baec92 Mon Sep 17 00:00:00 2001
From: Robin Beismann <robin@beismann.biz>
Date: Thu, 7 Apr 2022 16:09:27 +0200
Subject: [PATCH] Added environment variable for CSRF_TRUSTED_ORIGINS

---
 configuration/configuration.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/configuration/configuration.py b/configuration/configuration.py
index 1db6051..7bfa6a6 100644
--- a/configuration/configuration.py
+++ b/configuration/configuration.py
@@ -120,6 +120,11 @@ CORS_ORIGIN_ALLOW_ALL = environ.get('CORS_ORIGIN_ALLOW_ALL', 'False').lower() ==
 CORS_ORIGIN_WHITELIST = list(filter(None, environ.get('CORS_ORIGIN_WHITELIST', 'https://localhost').split(' ')))
 CORS_ORIGIN_REGEX_WHITELIST = [re.compile(r) for r in list(filter(None, environ.get('CORS_ORIGIN_REGEX_WHITELIST', '').split(' ')))]
 
+# Cross-Site-Request-Forgery-Attack settings. If Netbox is sitting behind a reverse proxy, you might need to set the CSRF_TRUSTED_ORIGINS flag.
+# Django 4.0 requires to specify the URL Scheme in this setting. An example environment variable could be specified like:
+# CSRF_TRUSTED_ORIGINS=https://demo.netbox.dev http://demo.netbox.dev
+CSRF_TRUSTED_ORIGINS = list(filter(None, environ.get('CSRF_TRUSTED_ORIGINS', 'https://localhost').split(' ')))
+
 # Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
 # sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
 # on a production system.