Fixed #593: Add some docs for TAKAHE_CSRF_HOSTS

docker/docker-compose.yml

@@ -15,7 +15,7 @@ x-takahe-common:
       TAKAHE_DATABASE_SERVER: "postgres://postgres:insecure_password@db/takahe"
       TAKAHE_DEBUG: "true"
       TAKAHE_SECRET_KEY: "insecure_secret"
-      TAKAHE_CSRF_TRUSTED_ORIGINS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
+      TAKAHE_CSRF_HOSTS: '["http://127.0.0.1:8000", "https://127.0.0.1:8000"]'
       TAKAHE_USE_PROXY_HEADERS: "true"
       TAKAHE_EMAIL_BACKEND: "console://console"
       TAKAHE_MAIN_DOMAIN: "example.com"

docs/installation.rst

@@ -122,6 +122,18 @@ be provided to the containers from the first boot.
 There are some other, optional variables you can tweak once the
 system is up and working - see :doc:`tuning` for more.
 
+If you are behind a caching proxy, such as Cloudflare, you may need to update
+your CSRF host settings to match. Takahē validates that requests have an
+Origin header that matches their Referer header by default, and these services
+can break that relationship.
+
+Takahē lets you set this up via the ``TAKAHE_CSRF_HOSTS`` environment variable, which takes
+a Python-list-formatted list of additional protocols/domains to allow, with wildcards. It feeds
+directly into Django's `CSRF_TRUSTED_ORIGINS <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_
+setting, so for more information about how to use it, see `the Django documentation <https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins>`_ - generally, you'd want to set it to
+your website's public address, so for our server it would have been
+``TAKAHE_CSRF_HOSTS='["https://takahe.social"]'``.
+
 
 .. _media_configuration: