From 232a861f8ae52e1026d59d7088f07211acd166a5 Mon Sep 17 00:00:00 2001
From: Jennifer Richards <jennifer@staff.ietf.org>
Date: Mon, 3 Mar 2025 14:51:14 -0400
Subject: [PATCH] chore: config gunicorn secure_scheme_headers (#8632)

* chore: config gunicorn secure_scheme_headers

* chore: typo in comment
---
 dev/build/gunicorn.conf.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dev/build/gunicorn.conf.py b/dev/build/gunicorn.conf.py
index 6666a0d37..032d95ee0 100644
--- a/dev/build/gunicorn.conf.py
+++ b/dev/build/gunicorn.conf.py
@@ -1,5 +1,11 @@
 # Copyright The IETF Trust 2024, All Rights Reserved
 
+# Configure security scheme headers for forwarded requests. Cloudflare sets X-Forwarded-Proto 
+# for us. Don't trust any of the other similar headers. Only trust the header if it's coming
+# from localhost, as all legitimate traffic will reach gunicorn via co-located nginx.
+secure_scheme_headers = {"X-FORWARDED-PROTO": "https"}
+forwarded_allow_ips = "127.0.0.1, ::1"  # this is the default 
+
 # Log as JSON on stdout (to distinguish from Django's logs on stderr)
 #
 # This is applied as an update to gunicorn's glogging.CONFIG_DEFAULTS.