From cdd2cee02fd72c8118f5986da0a30352bca0ad28 Mon Sep 17 00:00:00 2001
From: Alfredos-Panagiotis Damkalis <fredy@fredy.gr>
Date: Fri, 22 Apr 2022 17:58:56 +0300
Subject: [PATCH] Make SECURE_PROXY_SSL_HEADER setting configurable

Signed-off-by: Alfredos-Panagiotis Damkalis <fredy@fredy.gr>
---
 db/settings.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/db/settings.py b/db/settings.py
index 121b0b8..b8e9ff3 100644
--- a/db/settings.py
+++ b/db/settings.py
@@ -390,7 +390,13 @@ SPECTACULAR_SETTINGS = {
 # Security
 SECRET_KEY = config('SECRET_KEY', default='changeme')
 SECURE_HSTS_SECONDS = config('SECURE_HSTS_SECONDS', default=31536000, cast=int)
-SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_PROXY_SSL_HEADER = config(
+    'SECURE_PROXY_SSL_HEADER', default='', cast=Csv(post_process=tuple)
+) or None
+ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='localhost', cast=Csv())
 CORS_ALLOW_ALL_ORIGINS = config('CORS_ALLOW_ALL_ORIGINS', default=True, cast=bool)
 CORS_URLS_REGEX = config('CORS_URLS_REGEX', default=r'^(?:/api/artifacts/.*|/media/artifacts/.*)$')
 CORS_ALLOW_METHODS = config('CORS_ALLOW_METHODS', default='GET, OPTIONS', cast=Csv())
@@ -436,10 +442,6 @@ CSP_WORKER_SRC = config(
 CSP_CHILD_SRC = config(
     'CSP_CHILD_SRC', cast=lambda v: tuple(s.strip() for s in v.split(',')), default='blob:'
 )
-SECURE_HSTS_INCLUDE_SUBDOMAINS = True
-SECURE_CONTENT_TYPE_NOSNIFF = True
-SECURE_BROWSER_XSS_FILTER = True
-ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='localhost', cast=Csv())
 
 # Database
 DATABASE_URL = config('DATABASE_URL', default='sqlite:///db.sqlite3')