Configuring Baby Buddy to run behind a proxy may require some additional configuration depending on the individual proxy configuration. Baby Buddy's environment variables for configuration should allow most proxy setups to work, but it may require some testing and tweaking of settings.
Cross Site Request Forgery protection is an important way to prevent malicious users from sening fake requests to Baby Buddy to read, alter, or destroy data.
To protect against this threat Baby Buddy checks the
Origin header of certain requests
to ensure that it matches a "trusted" origin for the application. If the origin and host
are the same CSRF will pass without any extra configuration but if the two are different
the origin must be in
CSRF_TRUSTED_ORIGINS to pass.
For example if Baby Buddy is configured in a container with a private network and a host
babybuddy that is exposed publicly by a proxy (e.g., nginx) at the address
https://baby.example.com then form submissions from browsers will have an
https://baby.example.com that does not match the host
babybudy. This will cause a
CSRF error and the request will be rejected with a
403 Forbidden error. To support
this example configuration the environment variable
CSRF_TRUSTED_ORIGINS should be set
to the full public address (including the scheme):
https://baby.example.com for CSRF
protected requests to succeed.
Note: multiple origins can be added by separating origins with commas. E.g.:
If Baby Buddy is configured behind a standard HTTP proxy requests will always been seen as insecure even if the exposed public connection uses HTTPS between the client and proxy.
To address this most proxies can be configured to pass a special header to Baby Buddy
indicating the scheme used by the original request.
is a common standard header for this feature and it is currently the only header
supported by Baby Buddy. To use this feature the
True and Baby Buddy will consider the scheme indicated by the
X-Forwarded-Proto header to be the scheme used for the request.