From 14f0125a3218ca37db622b9a937b39850076c085 Mon Sep 17 00:00:00 2001
From: Flook <admin@softwarecraft.tech>
Date: Tue, 28 Apr 2026 15:54:51 +0700
Subject: [PATCH] chore: improve CSRF_TRUSTED_ORIGINS

---
 core/settings.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/core/settings.py b/core/settings.py
index 9f3c060..4e65341 100644
--- a/core/settings.py
+++ b/core/settings.py
@@ -27,7 +27,13 @@ SECRET_KEY = os.environ.get("SECRET_KEY", "unsafe-dev-secret")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
 
-ALLOWED_HOSTS = ["*"]
+# อนุญาตให้ Domain ใหม่เข้าถึง Application ได้
+ALLOWED_HOSTS = [
+    "lms-admin.panmodel.com",
+    "api.panmodel.com",
+    "localhost",
+    "127.0.0.1",
+]
 
 # Application definition
 INSTALLED_APPS = [
@@ -114,6 +120,16 @@ REST_FRAMEWORK = {
 
 CORS_ALLOW_ALL_ORIGINS = True # ควรเป็น False ใน Production
 
+# ยืนยันความปลอดภัยให้ Domain ใหม่ (ต้องใส่ https:// ด้วยครับ)
+CSRF_TRUSTED_ORIGINS = [
+    "https://lms-admin.panmodel.com",
+]
+
+# บอกให้ Django รู้ว่าอยู่หลัง Nginx Ingress (เพื่อให้ดึง Protocol/Host ถูกต้อง)
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+
+
 # Password validation
 # https://docs.djangoproject.com/en/6.0/ref/settings/#auth-password-validators