I was playing around with Takahē (great work, looks amazing). In my situation I was attempting to host it behind CloudFront. CloudFront was configured to forward host headers, cookies, and parameters, however every time I tried to login I kept hitting a CSRF verification failed and with debug mode turned on does not match any trusted origins.

I didn't see any documentation on how to set the CSRF hosts, but I did see TAKAHE_CSRF_TRUSTED_ORIGINS in the docker compose file. It seems at some point this was replaced with TAKAHE_CSRF_HOSTS.

It would be nice if TAKAHE_CSRF_HOSTS was documented somewhere to avoid having to dive into source code to work out how to setup the CSRF hosts for Django and save time troubleshooting. Likewise it might be worth revisiting docker-compose.yml as I suspect some options are no longer relevant or correct (even if the docker-compose.yml file isn't designed for production use).

Thanks for spotting that! I've added some docs for now and fixed up the compose file, but you're right, it probably needs a review; unfortunately, it's the one bit I don't use locally since I'm all on podman so it's a little hard to test and I don't do it as much as I should.