Fix CSRF verification failures by correcting nginx Host header configuration

[Copilot]

Problem

Users were encountering CSRF verification failures when submitting forms on the website:

Forbidden (403)
CSRF verification failed. Request aborted.

This issue was particularly affecting users accessing the site via www.alphaonelabs.com and the pythonanywhere domain.

Root Cause

The nginx configuration was hardcoding the Host header to a fixed domain:

proxy_set_header Host {{ domain_name | default('alphaonelabs.com') }};

This caused a mismatch between the request's Origin header and the Host header that Django received. For example:

• User visits: https://www.alphaonelabs.com
• Browser sends: Origin: https://www.alphaonelabs.com
• Nginx hardcodes: Host: alphaonelabs.com
• Django sees: Origin ≠ Host → CSRF validation fails ❌

Even though https://www.alphaonelabs.com was in CSRF_TRUSTED_ORIGINS, the Host header mismatch caused Django's CSRF middleware to reject the request.

Solution

1. Fixed nginx Host header configuration

Changed the nginx configuration to preserve the actual client's Host header:

- proxy_set_header Host {{ domain_name | default('alphaonelabs.com') }};
+ proxy_set_header Host $host;

This ensures Django receives the same Host header that the client sent, allowing Origin and Host to match correctly.

2. Added pythonanywhere domain to CSRF_TRUSTED_ORIGINS

The pythonanywhere domain was in ALLOWED_HOSTS but missing from CSRF_TRUSTED_ORIGINS. Added it to ensure explicit CSRF validation support:

CSRF_TRUSTED_ORIGINS = [
    "https://alphaonelabs.com",
    "https://www.alphaonelabs.com",
    "https://alphaonelabs99282llkb.pythonanywhere.com",  # Added
    "http://127.0.0.1:8000",
    "http://localhost:8000",
]

This is necessary because the HostnameRewriteMiddleware rewrites the pythonanywhere hostname to alphaonelabs.com but doesn't rewrite the Origin header.

3. Added comprehensive CSRF tests

Created web/tests/test_csrf.py with tests verifying CSRF tokens work correctly across all allowed domains:

• test_csrf_with_alphaonelabs_domain()
• test_csrf_with_www_subdomain()
• test_csrf_with_pythonanywhere_domain()
• test_csrf_with_localhost()

Impact

✅ Forms can now be submitted from www.alphaonelabs.com without CSRF errors
✅ Forms can be submitted from the pythonanywhere domain without CSRF errors
✅ All legitimate domains in ALLOWED_HOSTS are now properly supported
✅ No breaking changes - backward compatible
✅ No performance impact
✅ Security maintained - no weakening of CSRF protection

Deployment Notes

After merging, the nginx configuration needs to be updated on the server:

ansible-playbook ansible/deploy.yml
# OR
sudo systemctl reload nginx

Files Changed

• ansible/nginx.conf.j2 - Fixed Host header passing (2 lines)
• web/settings.py - Added pythonanywhere to CSRF_TRUSTED_ORIGINS (1 line)
• web/tests/test_csrf.py - Added comprehensive CSRF tests (148 lines, new file)

Total: 3 files changed, 151 insertions(+), 2 deletions(-)

Original prompt

Please fix Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.
More information is available with DEBUG=True.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}