Skip to content

Commit dbc0a43

Browse files
kennethreitzclaude
andcommitted
Surface CSRF, proxy trust, and body cap in production docs
The production checklist in deployment.rst and the putting-it-all- together config example now mention csrf=True, trust_proxy_headers, and the 100 MiB max_request_size default alongside the existing items. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent 5c81652 commit dbc0a43

2 files changed

Lines changed: 15 additions & 0 deletions

File tree

docs/source/deployment.rst

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,15 @@ Before going live:
264264
:doc:`configuration guide <guide-config>`.
265265
- **Disable debug mode** — it's off by default; never set ``debug=True`` in production
266266
- **Set allowed hosts** — ``allowed_hosts=[...]``, restricted to your domains
267+
- **Behind a proxy? Trust its headers** — ``trust_proxy_headers=True`` so
268+
HTTPS detection, redirects, and client IPs reflect the original request
269+
(only when *every* request comes through your proxy — see `Reverse Proxy`_)
270+
- **Serving browser forms? Enable CSRF protection** — ``csrf=True`` pairs
271+
with the default-on cookie sessions; exempt webhook routes with
272+
``csrf=False``. Token-only APIs (no cookies) don't need it.
273+
- **Check the request-body cap fits** — bodies over ``max_request_size``
274+
(100 MiB by default) get a ``413``; raise it for large uploads (multipart
275+
streams to disk, so a bigger cap doesn't mean more memory)
267276
- **Use multiple workers** — ``--workers 4`` or more, depending on CPU cores
268277
(set a stable secret key first — see above)
269278
- **Add a health check** — ``/health`` endpoint for monitoring

docs/source/guide-config.rst

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,6 +242,12 @@ A production-ready configuration setup::
242242
# secret_key is read from RESPONDER_SECRET_KEY automatically
243243
debug=os.getenv("DEBUG", "false") == "true",
244244
allowed_hosts=os.getenv("ALLOWED_HOSTS", "*").split(","),
245+
# Serving browser forms? Require a session-bound CSRF token on
246+
# unsafe requests (see the tour's CSRF Protection section).
247+
csrf=True,
248+
# Behind nginx/Caddy/a load balancer, honor its Forwarded /
249+
# X-Forwarded-* headers; leave off when directly exposed.
250+
trust_proxy_headers=os.getenv("BEHIND_PROXY") == "true",
245251
cors=bool(os.getenv("CORS_ORIGINS")),
246252
cors_params={
247253
"allow_origins": os.getenv("CORS_ORIGINS", "").split(","),

0 commit comments

Comments
 (0)