7 months ago
Hi, I've been trying to solve this "insecure" issue for a while, but I couldn't figure it out. My connected domain is marked as insecure and has a red lock next to the url.
I have 2 services running on my project (Frontend: Next.js, Backend: Django)
I checked for mixed-content, cookie management, django settings, etc. but couldn't find a way to fix it.
settings.py:
SESSION_COOKIE_SECURE = True # Ensure session cookies are only sent over HTTPS
CSRF_COOKIE_SECURE = True # Ensure CSRF cookies are only sent over HTTPS
SESSION_COOKIE_SAMESITE = 'None' # Allow cookies for cross-site requests (since Railway uses HTTPS)
CSRF_COOKIE_SAMESITE = 'Lax' # CSRF protection: Lax is generally safe and recommended
SECURE_SSL_REDIRECT = True # Redirect all HTTP requests to HTTPS
SECURE_BROWSER_XSS_FILTER = True # Prevent cross-site scripting (XSS) attacks
SECURE_CONTENT_TYPE_NOSNIFF = True # Prevent the browser from interpreting files as a different MIME type
X_FRAME_OPTIONS = 'DENY' # Prevent clickjacking by disallowing iframes
SECURE_HSTS_SECONDS = 31536000 # Use HTTP Strict Transport Security (HSTS) to force HTTPS
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
CORS_ALLOW_ALL_ORIGINS = True
DEBUG = False
8 Replies
7 months ago
Here are some screenshots. I'd appreciate if someone could tell me what to try next. I can share any part of my code necessary
Attachments
7 months ago
Please send the domain in question.
https://agent.ditra.org
7 months ago
You have incorrectly set up your domain.
You need to be using Cloudflare's nameservers - https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/
7 months ago
You have incorrectly set up your domain.
You need to be using Cloudflare's nameservers - https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/
I changed my nameservers to Cloudflare, and turned off proxy status for my subdomain (agent.ditra.org). Now it works great securely!
Thanks for the help @brody!
Status changed to Solved brody • 7 months ago
Status changed to Open denizmatar • 7 months ago
7 months ago
Hi again @brody
I was trying to connect my backend to a subdomain (api.ditra.org), but there seems to be a weird problem. After adding the DNS record, the new backend url(api.ditra.org) receives the requests but forwards them to port 8080 instead of 8000 (?). Old url (agents-backend-production.up.railway.app) still works fine. I don't know what to do and I have no idea what could be the cause of this. I'd appreciate your help to resolve this situation. I'm attaching some screenshots.
PS: As you can see in the thread above, I was unable to connect my frontend service to agent.ditra.org with Hostinger. I had a DNS record there, but wasn't working. After changing my nameservers to Cloudflare, it automatically started working (and it turned to A record, I'm scared to change it to CNAME 
). I didn't have to add a new record to Cloudflare. However, as you can see in the screenshot, the frontend service custom domain says: "Waiting for DNS update", even though it works just fine. In contrary, backend service says "Setup complete" but it doesn't work.
Attachments
7 months ago
I solved it by deleting the custom domain and adding it again with port 8000. I have no idea why it picks a different port when not selected manually.
7 months ago
I'm glad you got it working but please only ever use CNAMEs, we don't support A types, your domain could break at some point.