config: add CSRF trusted origins for production domains

Add CSRF_TRUSTED_ORIGINS setting to whitelist the production domains (attunehearttherapy.com and its api subdomain) for CSRF verification. This ensures secure cross-origin POST requests from the frontend. Also add documentation comment for CORS configuration section.
2025-11-25 18:27:57 +00:00 · 2025-11-25 18:27:57 +00:00 · 4f07d854e1
commit 4f07d854e1
parent 4b75d38713
1 changed files with 5 additions and 0 deletions
--- a/booking_system/settings.py
+++ b/booking_system/settings.py
@ -14,6 +14,7 @@ DEBUG = os.getenv('DEBUG', 'False').lower() == 'true'

 ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '*').split(',')

+# CORS Configuration
 CORS_ALLOWED_ORIGINS = [
    'http://localhost:3000',
    'http://127.0.0.1:3000',
@ -22,6 +23,10 @@ CORS_ALLOWED_ORIGINS = [

 CORS_ALLOW_CREDENTIALS = True

+CSRF_TRUSTED_ORIGINS = [
+    'https://api.attunehearttherapy.com',
+    'https://attunehearttherapy.com'
+]

 INSTALLED_APPS = [
    'jazzmin',