Adding CSRF checks for the VM instance

Signed-off-by: Yesenia <[email protected]>
ossf · Jul 10, 2023 · c4be590 · c4be590
1 parent 40e620c
commit c4be590
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -73,7 +73,7 @@ In the event of a virtual machine having to be destroy and a new one taken it's
   * Collecting the static files for UI
     * Ensure that the `/opt/omega/static` directory is available, if not, create it.
     * Enter the triage-portal container ( `docker exec -it omega-triage-portal /bin/bash` ) and run `python manage.py collectstatic`
-    * Move the static files to the `/opt/omega/static` directory
+    * Move the static files from container to the VM's `/opt/omega/static` directory ( `cp core/settings.py /opt/omega/static`)
 
 ## Contributing
 

diff --git a/src/.env-template b/src/.env-template
@@ -30,3 +30,7 @@ CACHE_REDIS_PASSWORD=''
 #APPINSIGHTS_IKEY = ''
 
 OSSGADGET_PATH="/OSSGadget"
+
+AZURE_VM_CSRF_URL_DEV = https://otpdev1.eastus.cloudapp.azure.com
+# setting it to the same value as dev for now
+# AZURE_VM_CSRF_URL_PROD = https://otpdev1.eastus.cloudapp.azure.com
diff --git a/src/core/settings.py b/src/core/settings.py
@@ -26,8 +26,10 @@
 INTERNAL_IPS = []
 if TRIAGE_PORTAL_DEVELOPMENT_MODE:
     ALLOWED_HOSTS = ["*"]
+    CSRF_TRUSTED_ORIGINS = [os.getenv("AZURE_VM_CSRF_URL_DEV")]
 else:
-    ALLOWED_HOSTS = ["omega-triageportal-dev1.azurewebsites.net"]
+    ALLOWED_HOSTS = [os.getenv("AZURE_VM_CSRF_URL_PROD")]
+    CSRF_TRUSTED_ORIGINS = [os.getenv("AZURE_VM_CSRF_URL_PROD")]
 
 if "CODESPACE_NAME" in os.environ:
     codespace_name = os.getenv("CODESPACE_NAME")