Merge pull request #5123 from IONISx/tusbar/enable-https-studio

Use HTTP_X_FORWARDED_PROTO header in studio

Merge pull request #5123 from IONISx/tusbar/enable-https-studio
Use HTTP_X_FORWARDED_PROTO header in studio
3570e474 · Feanil Patel · 74ecb84f · 4789c5c9 · 3570e474
Commit 3570e474 authored 10 years ago by Feanil Patel
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -45,6 +45,14 @@ EMAIL_BACKEND = 'django_ses.SESBackend'
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
 DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'

+# IMPORTANT: With this enabled, the server must always be behind a proxy that
+# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See
+# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 ###################################### CELERY  ################################

 # Don't use a connection pool, since connections are dropped by ELB.