This is a project for the Swim4Love event. It is a web application that allows users to track the swimmers.
- Python 3.x
- pip
- Clone the repository:
git clone https://github.com/HenryXiaoYang/Swim4LoveV2.git
cd Swim4LoveV2
- Install Python dependencies:
pip install -r requirements.txt
- Edit the .env file to set your secret key:
DJANGO_SECRET_KEY=your_secret_key
Make sure to keep your keys safe!
- Configure CSRF settings in DjangoConfigs/settings.py:
Django 4.0+ requires explicit configuration of trusted origins for CSRF protection. This is important for security, especially when deploying to production or when your application is accessed from different domains or IPs.
# For local development
CSRF_TRUSTED_ORIGINS = [
'http://localhost:8000',
'http://127.0.0.1:8000',
]
# For production - add your actual domain(s)
# CSRF_TRUSTED_ORIGINS = [
# 'https://yourwebsite.com',
# 'https://www.yourwebsite.com',
# ]
Note: Always include the scheme (http:// or https://) in CSRF_TRUSTED_ORIGINS entries.
If you need to dynamically determine your server's IP address (useful in some deployment scenarios), you can use:
import socket
# Get the hostname
hostname = socket.gethostname()
# Get the IP address
ip_address = socket.gethostbyname(hostname)
CSRF_TRUSTED_ORIGINS = [
'http://localhost:8000',
'http://127.0.0.1:8000',
f'http://{ip_address}:8000',
f'https://{ip_address}:8000',
]
If you continue to experience CSRF issues, consider installing django-cors-headers for more advanced cross-origin resource sharing control.
-
Edit the Swim4LoveV2/settings.py file if you need to change some Django settings.
-
Collect static files:
python3 manage.py collectstatic
- Migrate the database:
python3 manage.py makemigrations Swim4LoveV2
python3 manage.py migrate
- Create a superuser
python3 manage.py createsuperuser
- Run the server:
gunicorn DjangoConfigs.wsgi -c gunicorn.conf.py
- Open your browser and go to
http://127.0.0.1:8000/
to view the website. - Use your superuser credentials to log in.
- Build the image:
sudo docker build -t henryxiaoyang/swim4lovev2 .
- Configure CSRF in your environment variables:
For Docker deployments, you may need to pass your domain as an environment variable and configure your settings.py to use it. Add a section to your settings.py that reads from environment variables:
# In DjangoConfigs/settings.py
import os
# Get domains from environment or use defaults
csrf_trusted_domains = os.environ.get('CSRF_TRUSTED_DOMAINS', 'localhost,127.0.0.1').split(',')
CSRF_TRUSTED_ORIGINS = []
for domain in csrf_trusted_domains:
CSRF_TRUSTED_ORIGINS.append(f'http://{domain}')
CSRF_TRUSTED_ORIGINS.append(f'https://{domain}')
- Run the image:
sudo docker run -d \
--name swim4lovev2 \
--restart always \
-v swim4lovev2:/app \
-e DJANGO_SECRET_KEY=Your-Secret-Key \
-e CSRF_TRUSTED_DOMAINS=yourwebsite.com,www.yourwebsite.com \
-p 8000:8000 \
henryxiaoyang/swim4lovev2
or use docker-compose:
version: "3"
services:
swim4lovev2:
image: henryxiaoyang/swim4lovev2
container_name: swim4lovev2
restart: always
volumes:
- swim4lovev2:/app
environment:
DJANGO_SECRET_KEY: Your-Secret-Key
CSRF_TRUSTED_DOMAINS: yourwebsite.com,www.yourwebsite.com
ports:
- "8000:8000"
volumes:
swim4lovev2:
docker-compose up -d
If you encounter CSRF verification errors (403 Forbidden), try the following solutions:
-
Verify CSRF_TRUSTED_ORIGINS includes the correct domain(s):
- Make sure all domains include the scheme (
http://
orhttps://
) - Check for any subdomain issues (you may need to include both root domain and www version)
- For dynamic IPs, ensure the current IP is included
- Make sure all domains include the scheme (
-
Common error messages and solutions:
- "Origin checking failed - X does not match any trusted origins": Add the domain X to your CSRF_TRUSTED_ORIGINS list
- "CSRF cookie not set": Ensure your browser accepts cookies and Django's session middleware is correctly configured
- "Referer checking failed": Check that your browser sends proper referer headers
-
For development environments:
- If testing with different ports or domains, make sure all are included in CSRF_TRUSTED_ORIGINS
- When using Docker or containers, ensure the host's domain is properly passed to the container
-
For production environments:
- Always use HTTPS in production for better security
- Consider using wildcard subdomains if needed:
'https://*.example.com'
-
Last resort options:
- For specific views that don't require CSRF protection, you can use the
@csrf_exempt
decorator:
from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view(request): # ...
- Consider installing and configuring django-cors-headers for more complex cross-origin scenarios
- For specific views that don't require CSRF protection, you can use the
Remember that proper CSRF protection is critical for security. Avoid disabling it globally.