Merge pull request #282 from hongquan/fix/django-https-detection

Fix: Django not detect that our site is HTTPS

src/pretalx/common/views/redirect.py

@@ -1,12 +1,20 @@
+import logging
 import urllib.parse
 
 from django.core import signing
-from django.http import HttpResponseBadRequest, HttpResponseRedirect
+from django.http import (
+    HttpRequest,
+    HttpResponse,
+    HttpResponseBadRequest,
+    HttpResponseRedirect,
+)
 from django.shortcuts import render
 from django.urls import reverse
 
+logger = logging.getLogger(__name__)
 
-def _is_samesite_referer(request):
+
+def _is_samesite_referer(request: HttpRequest) -> bool:
     referer = request.headers.get("referer")
     if referer is None:
         return False
@@ -20,7 +28,7 @@ def _is_samesite_referer(request):
     return (referer.scheme, referer.netloc) == (request.scheme, request.get_host())
 
 
-def redirect_view(request):
+def redirect_view(request: HttpRequest) -> HttpResponse:
     signer = signing.Signer(salt="safe-redirect")
     try:
         url = signer.unsign(request.GET.get("url", ""))
@@ -40,6 +48,7 @@ def redirect_view(request):
     return HttpResponseRedirect(url)
 
 
-def safelink(url):
+def safelink(url: str) -> str:
+    """Wrap a URL with our redirect view to check if the user is about to go to external site."""
     signer = signing.Signer(salt="safe-redirect")
     return reverse("redirect") + "?url=" + urllib.parse.quote(signer.sign(url))

src/pretalx/settings.py

@@ -603,6 +603,9 @@ def merge_csp(*options, config=None):
     },
 }
 
+# We need this for Django to detect correctly that our website is served via HTTPS
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
 VITE_DEV_SERVER_PORT = 8080
 VITE_DEV_SERVER = f"http://localhost:{VITE_DEV_SERVER_PORT}"
 VITE_DEV_MODE = DEBUG