Merge pull request #439 from NHSDigital/fix-csrf-protection-on-review-app

Fix CSRF protection on review app

Author: MatMoore

infrastructure/environments/dev/variables.yml

@@ -2,3 +2,4 @@ BASE_URL: https://dev.manage-breast-screening.non-live.screening.nhs.uk
 BASIC_AUTH_ENABLED: True
 CIS2_SERVER_METADATA_URL: https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
 PERSONAS_ENABLED: 1
+CSRF_TRUSTED_ORIGINS: 'https://dev.manage-breast-screening.non-live.screening.nhs.uk'

infrastructure/environments/preprod/variables.yml

@@ -2,3 +2,4 @@ BASE_URL: https://preprod.manage-breast-screening.screening.nhs.uk
 BASIC_AUTH_ENABLED: True
 CIS2_SERVER_METADATA_URL: https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
 PERSONAS_ENABLED: 1
+CSRF_TRUSTED_ORIGINS: 'https://preprod.manage-breast-screening.screening.nhs.uk'

infrastructure/environments/review/variables.yml

@@ -1 +1,2 @@
 PERSONAS_ENABLED: 1
+CSRF_TRUSTED_ORIGINS: 'https://*.manage-breast-screening.non-live.screening.nhs.uk'

manage_breast_screening/config/settings.py

@@ -23,6 +23,11 @@ def boolean_env(key, default=None):
     return default if value is None else value in ("True", "true", "1")
 
 
+def list_env(key):
+    value = environ.get(key)
+    return value.split(",") if value else []
+
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -38,8 +43,8 @@ def boolean_env(key, default=None):
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = boolean_env("DEBUG", default=False)
 
-allowed_hosts = environ.get("ALLOWED_HOSTS")
-ALLOWED_HOSTS = allowed_hosts.split(",") if allowed_hosts else []
+ALLOWED_HOSTS = list_env("ALLOWED_HOSTS")
+CSRF_TRUSTED_ORIGINS = list_env("CSRF_TRUSTED_ORIGINS")
 
 allowed_hosts_except_localhost = set(ALLOWED_HOSTS) - {"localhost", "127.0.0.1"}