Gotta hand it to the security researchers: They do notice things from time to time. In this case, somebody noticed that our "Forgot Password" email was sending links with the http protocol instead of the https. That's pretty weird, but it makes sense after our switch to nginx in #1429. This is happening because gunicorn is accessed via a reverse proxy that uses http and doesn't know that our front end is only accessed via https.
The easy fix would be to simply update the email template to hard code https, but this is actually a canary in a coal mine. We need to tell gunicorn that everything should be treated as secure. To do that, we need to use Django's SECURE_PROXY_SSL_HEADER configuration.
We already send the correct headers via our proxy.conf nginx configuration. We just need to recognize them in our settings file.
Gotta hand it to the security researchers: They do notice things from time to time. In this case, somebody noticed that our "Forgot Password" email was sending links with the
httpprotocol instead of thehttps. That's pretty weird, but it makes sense after our switch to nginx in #1429. This is happening because gunicorn is accessed via a reverse proxy that useshttpand doesn't know that our front end is only accessed viahttps.The easy fix would be to simply update the email template to hard code https, but this is actually a canary in a coal mine. We need to tell gunicorn that everything should be treated as secure. To do that, we need to use Django's
SECURE_PROXY_SSL_HEADERconfiguration.We already send the correct headers via our proxy.conf nginx configuration. We just need to recognize them in our settings file.