CORS_ORIGIN_ALLOW_ALL variable is ignored on login #1625
Description
Current Behavior
CORS_ORIGIN_ALLOW_ALL=True in env file,
Docker inspect returns True for this variable for both netbox-1 and worker.
Yet, interface still gives cors error when trying to login (on POST request)
Reason given for failure:
Origin checking failed - http://10.160.11.1:801 does not match any trusted origins.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when [Django’s CSRF mechanism](https://docs.djangoproject.com/en/5.2/ref/csrf/) has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function passes a request to the template’s [render](https://docs.djangoproject.com/en/5.2/topics/templates/#django.template.backends.base.Template.render) method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.
Expected Behavior
I'm expecting being able to reach the web-interface behind reverse-proxy without explicitly whitelisting CORS when ALLOW_ALL is True
Docker Compose Version
Docker Compose version v5.0.2
Docker Version
Version: 29.2.1
API version: 1.53
Go version: go1.25.6
Git commit: a5c7197
Built: Mon Feb 2 17:17:24 2026
OS/Arch: linux/amd64
Context: default
The git Revision
The git Status
On branch release
Your branch is up to date with 'origin/release'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: docker-compose.yml
modified: env/netbox.env
modified: env/postgres.env
no changes added to commit (use "git add" and/or "git commit -a")
Startup Command
docker compose up
NetBox Logs
netbox-1 | [2026-02-18 18:06:23 +0000] 172.28.5.1 - "GET /login/ HTTP/1" 200 6.313
netbox-1 | Forbidden (Origin checking failed - http://10.160.11.1:801 does not match any trusted origins.): /login/
netbox-1 | [2026-02-18 18:06:26 +0000] 172.28.5.1 - "POST /login/ HTTP/1" 403 37.086
Content of docker-compose.override.yml
services:
netbox:
ports:
- "8000:8080"All the changes in compose are limited to custom docker network, network ipam and external postgresql.