OS-89: moved csrf settings from prod to security

Author: sniedzielski

openIMIS/openIMIS/settings/prod.py

@@ -31,18 +31,6 @@
 USE_X_FORWARDED_HOST = BEHIND_PROXY
 SECURE_SSL_REDIRECT = not BEHIND_PROXY  # Only redirect if not behind a proxy
 
-# CSRF settings
-CSRF_COOKIE_SECURE = True
-SESSION_COOKIE_SECURE = True
-
-# CORS settings
-CORS_ALLOW_CREDENTIALS = True
-
-# Cookie settings
-SESSION_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
-CSRF_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
-CSRF_COOKIE_HTTPONLY = False  # False if you need to access it from JavaScript
-
 # HSTS settings (if using HTTPS)
 if 'https' in protos:
     SECURE_HSTS_SECONDS = 31536000  # 1 year

openIMIS/openIMIS/settings/security.py

@@ -89,8 +89,17 @@
 RATELIMIT_GROUP = os.getenv('RATELIMIT_GROUP', 'graphql')
 RATELIMIT_SKIP_TIMEOUT = os.getenv('RATELIMIT_SKIP_TIMEOUT', 'False')
 
+# CSRF settings
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
 
+# CORS settings
+CORS_ALLOW_CREDENTIALS = True
 
+# Cookie settings
+SESSION_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_HTTPONLY = False  # False if you need to access it from JavaScript
 
 # Adjust other settings as needed for your specific application
 # ...