adding configurable csrf settings and including withXSRFToken in axio… (

#1042)

* adding configurable csrf settings and including withXSRFToken in axios config

* removing 'CORS_ORIGIN_ALLOW_ALL' settings

* adding in default settings

* adding in CORS_ALLOWED_ORIGIN_REGEXES setting

* making CSRF_COOKIE_SECURE True by default

* adding CORS_REPLACE_HTTPS_REFERER

* Revert "adding CORS_REPLACE_HTTPS_REFERER"

This reverts commit 913cd7a.

frontends/api/src/axios.ts

@@ -6,6 +6,7 @@ import axios from "axios"
 const instance = axios.create({
   xsrfCookieName: "csrftoken",
   xsrfHeaderName: "X-CSRFToken",
+  withXSRFToken: true,
   withCredentials:
     APP_SETTINGS.axios_with_credentials?.toLowerCase() === "true",
 })

main/settings.py

@@ -151,11 +151,22 @@
 # CORS
 CORS_ALLOWED_ORIGINS = get_list_of_str("CORS_ALLOWED_ORIGINS", [])
 CORS_ALLOWED_ORIGIN_REGEXES = get_list_of_str("CORS_ALLOWED_ORIGIN_REGEXES", [])
-CORS_ALLOW_CREDENTIALS = True
 
-CSRF_TRUSTED_ORIGINS = get_list_of_str("CSRF_TRUSTED_ORIGINS", [])
+CORS_ALLOW_CREDENTIALS = get_bool("CORS_ALLOW_CREDENTIALS", True)  # noqa: FBT003
+SECURE_CROSS_ORIGIN_OPENER_POLICY = get_string(
+    "SECURE_CROSS_ORIGIN_OPENER_POLICY",
+    "same-origin",
+)
+
+CSRF_COOKIE_SECURE = get_bool("CSRF_COOKIE_SECURE", True)  # noqa: FBT003
+SESSION_COOKIE_DOMAIN = get_string("SESSION_COOKIE_DOMAIN", None)
 CSRF_COOKIE_DOMAIN = get_string("CSRF_COOKIE_DOMAIN", None)
 
+CSRF_HEADER_NAME = get_string("CSRF_HEADER_NAME", "HTTP_X_CSRFTOKEN")
+
+
+CSRF_TRUSTED_ORIGINS = get_list_of_str("CSRF_TRUSTED_ORIGINS", [])
+
 # enable the nplusone profiler only in debug mode
 if DEBUG:
     INSTALLED_APPS += ("nplusone.ext.django",)