Security
ALLOWED_HOSTS
Default: *
(any host)
Set this variable to a single host or comma-separated list of hosts. This should always be set to a specific host or hosts in production deployments.
Do not include schemes ("http" or "https") with this setting.
Example value
baby.example.test, baby.example2.test
See also
CORS_ALLOWED_ORIGINS
Default: ""
(no cross-origin requests allowed)
Set this variable to a single origin or comma-separated list of origins. Include schemes ("http" or "https") and any non-default ports in each origin.
This allows cross-origin requests to the API from the specified origins.
Example value
https://other-domain.example.com, http://localhost:8888
See also
CSRF_COOKIE_SECURE
Default: False
If this is set to True
, the browser CSRF cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
See also
CSRF_TRUSTED_ORIGINS
Default: None
If Baby Buddy is behind a proxy, you may need add all possible origins to this setting for form submission to work correctly. Separate multiple origins with commas.
Each entry must contain both the scheme (http, https) and fully-qualified domain name.
Example value
https://baby.example.test,http://baby.example2.test,http://babybudy
See also
PROXY_HEADER
Default: HTTP_REMOTE_USER
Sets the header to read the authenticated username from when
REVERSE_PROXY_AUTH
has been enabled.
Baby Buddy modifies headers in the HTTP request; HTTP headers in the request have all characters converted to uppercase, replacing any hyphens with underscores and adding an HTTP_ prefix to the name. For example X-Auth-User
would be converted to HTTP_X_AUTH_USER
.
Example value
// For header key X-Auth-User
HTTP_X_AUTH_USER
See also
- Django's documentation on the
REMOTE_USER
authentication method - Django's documentation on the request.META object
REVERSE_PROXY_AUTH
REVERSE_PROXY_AUTH
Default: False
Enable use of PROXY_HEADER
to pass the username of an authenticated user.
This setting should only be used with a properly configured reverse proxy to
ensure the headers are not forwarded from sources other than your proxy.
See also
SECRET_KEY
Default: None
A random, unique string must be set as the "secret key" before Baby Buddy can be deployed and run.
See also Django's documentation on the SECRET_KEY setting.
SECURE_PROXY_SSL_HEADER
Default: None
If Baby Buddy is behind a proxy, you may need to set this to True
in order to
trust the X-Forwarded-Proto
header that comes from your proxy, and any time
its value is "https". This guarantees the request is secure (i.e., it originally
came in via HTTPS).
See also
SESSION_COOKIE_SECURE
Default: False
If this is set to True
, the browser session cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
See also