From 4f07d854e10509dfecb63d7b0fb958f7002abe57 Mon Sep 17 00:00:00 2001
From: saani <saani@BlackBusinessLabs.com>
Date: Tue, 25 Nov 2025 18:27:57 +0000
Subject: [PATCH] config: add CSRF trusted origins for production domains

Add CSRF_TRUSTED_ORIGINS setting to whitelist the production domains
(attunehearttherapy.com and its api subdomain) for CSRF verification.
This ensures secure cross-origin POST requests from the frontend.

Also add documentation comment for CORS configuration section.
---
 booking_system/settings.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/booking_system/settings.py b/booking_system/settings.py
index 6e0e81b..53934f2 100644
--- a/booking_system/settings.py
+++ b/booking_system/settings.py
@@ -14,6 +14,7 @@ DEBUG = os.getenv('DEBUG', 'False').lower() == 'true'
 
 ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '*').split(',')
 
+# CORS Configuration
 CORS_ALLOWED_ORIGINS = [
     'http://localhost:3000',
     'http://127.0.0.1:3000',
@@ -22,6 +23,10 @@ CORS_ALLOWED_ORIGINS = [
 
 CORS_ALLOW_CREDENTIALS = True
 
+CSRF_TRUSTED_ORIGINS = [
+    'https://api.attunehearttherapy.com',
+    'https://attunehearttherapy.com'
+]
 
 INSTALLED_APPS = [
     'jazzmin',