From df83dac83064b345b4e76728d2b898045f0f3aca Mon Sep 17 00:00:00 2001
From: Welton Moura <weltonmoura@live.com>
Date: Sun, 5 Apr 2026 12:20:40 -0300
Subject: [PATCH] feat: configure CSRF_TRUSTED_ORIGINS via environment
 variables for production domains

---
 docker-compose.yml     | 1 +
 gestaoRaul/settings.py | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1b2bd52..75c6a3c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,6 +11,7 @@ services:
     environment:
       - DEBUG=True
       - ALLOWED_HOSTS=*
+      - CSRF_TRUSTED_ORIGINS=https://raulrockbar.com.br,https://api.raulrockbar.com.br
 
     volumes:
       - /DATA/AppData/rrbec-api-django:/app
diff --git a/gestaoRaul/settings.py b/gestaoRaul/settings.py
index 7213c2e..07ead03 100644
--- a/gestaoRaul/settings.py
+++ b/gestaoRaul/settings.py
@@ -39,7 +39,11 @@ SECRET_KEY = os.getenv(
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = os.getenv("DEBUG", "True") == "True"
 
-ALLOWED_HOSTS = ["*"]
+CSRF_TRUSTED_ORIGINS = (
+    os.getenv("CSRF_TRUSTED_ORIGINS", "").split(",")
+    if os.getenv("CSRF_TRUSTED_ORIGINS")
+    else []
+)
 
 
 # Application definition