wsvincent
commented
2 years ago Hi @flaviowh,
Thank you for the kind words and the feedback. I am finishing up the 4.0 update so will keep a sharp eye for these CSRF issues and see if I can replicate! Security settings are often finicky. I'll report back if I have an update.
-Will
When I turn on the CSRF settings in configs/settings.py, the user can't log in, the page looks like it's refreshing but it goes back to the log in form. Same with admin pages. This also happens to the deployed version on Heroku
login problems when used: CSRF_COOKIE_SECURE SESSION_COOKIE_SECURE
As a smaller issue, the HSTS settings shows a "The connection for this site is not secure" error, and the terminal says the browser is trying to force the https in development server, which causes the error
Anyway, thank you for the amazing book that finally got me started on Django, which I thought I couldn't ever