From dcc5d59a85f9c9fdcb49b411c992b28ca70522d7 Mon Sep 17 00:00:00 2001
From: Tudor Amariei <tudor.amariei@commitglobal.org>
Date: Wed, 27 Dec 2023 15:14:40 +0200
Subject: [PATCH] Update security settings

---
 backend/redirectioneaza/settings.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/backend/redirectioneaza/settings.py b/backend/redirectioneaza/settings.py
index 2476870d..320b395b 100644
--- a/backend/redirectioneaza/settings.py
+++ b/backend/redirectioneaza/settings.py
@@ -46,6 +46,10 @@
     DONATIONS_LIMIT_DATE=(str, "2016-05-25"),
     DONATIONS_LIMIT_TO_CURRENT_YEAR=(bool, True),
     DEFAULT_NGO_LOGO=(str, "https://storage.googleapis.com/redirectioneaza/logo_bw.png"),
+    # security settings
+    ALLOWED_HOSTS=(list, ["*"]),
+    CORS_ALLOWED_ORIGINS=(list, []),
+    CORS_ALLOW_ALL_ORIGINS=(bool, False),
     # zipping settings
     ZIPPY_URL=(str, "zippy:8000"),
     # email settings
@@ -90,8 +94,17 @@
 DJANGO_ADMIN_PASSWORD = env.str("DJANGO_ADMIN_PASSWORD", None)
 DJANGO_ADMIN_EMAIL = env.str("DJANGO_ADMIN_EMAIL", None)
 
-ALLOWED_HOSTS = []
+# Security settings
 
+ALLOWED_HOSTS = env.list("ALLOWED_HOSTS")
+
+CSRF_HEADER_NAME = "HTTP_X_XSRF_TOKEN"
+CSRF_COOKIE_NAME = "XSRF-TOKEN"
+
+CORS_ALLOWED_ORIGINS = env.list("CORS_ALLOWED_ORIGINS")
+CORS_ALLOW_ALL_ORIGINS = env.bool("CORS_ALLOW_ALL_ORIGINS")
+
+# Application definition
 APPEND_SLASH = True
 
 # some settings will be different if it's not running in a container (e.g., locally, on a Mac)