From 7e6e7376cf0893450ea38b2071a6c6a590eb61a8 Mon Sep 17 00:00:00 2001
From: zawan-ila <87228907+zawan-ila@users.noreply.github.com>
Date: Tue, 10 Sep 2024 16:12:33 +0500
Subject: [PATCH] fix: add setting variable to determine request scheme (#4438)

---
 course_discovery/settings/production.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/course_discovery/settings/production.py b/course_discovery/settings/production.py
index bb2c408853..44609c0bd0 100644
--- a/course_discovery/settings/production.py
+++ b/course_discovery/settings/production.py
@@ -94,3 +94,10 @@
     k.lower(): (v.replace("\\n", "\n") if k.lower() == "private_key" else v)
     for (k, v) in GOOGLE_SERVICE_ACCOUNT_CREDENTIALS.items()
 }
+
+# IMPORTANT: With this enabled, the server must always be behind a proxy that
+# strips the header X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See https://docs.djangoproject.com/en/5.1/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')