Closes #8509: CSRF_TRUSTED_ORIGINS is now a discrete configuration parameter

docs/configuration/optional-settings.md

@@ -66,6 +66,21 @@ CORS_ORIGIN_WHITELIST = [
 
 ---
 
+## CSRF_TRUSTED_ORIGINS
+
+Default: `[]`
+
+Defines a list of trusted origins for unsafe (e.g. `POST`) requests. This is a pass-through to Django's [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-CSRF_TRUSTED_ORIGINS) setting. Note that each host listed must specify a scheme (e.g. `http://` or `https://).
+
+```python
+CSRF_TRUSTED_ORIGINS = (
+    'http://netbox.local',
+    'https://netbox.local',
+)
+```
+
+---
+
 ## DEBUG
 
 Default: False

docs/release-notes/version-3.2.md

@@ -92,6 +92,7 @@ A new REST API endpoint has been added at `/api/ipam/vlan-groups/<pk>/available-
 * [#7748](https://github.com/netbox-community/netbox/issues/7748) - Remove legacy contact fields from site model
 * [#8031](https://github.com/netbox-community/netbox/issues/8031) - Remove automatic redirection of legacy slug-based URLs
 * [#8195](https://github.com/netbox-community/netbox/issues/8195), [#8454](https://github.com/netbox-community/netbox/issues/8454) - Use 64-bit integers for all primary keys
+* [#8509](https://github.com/netbox-community/netbox/issues/8509) - `CSRF_TRUSTED_ORIGINS` is now a discrete configuration parameter (rather than being populated from `ALLOWED_HOSTS`)
 
 ### REST API Changes
 

netbox/netbox/settings.py

@@ -80,6 +80,7 @@ if BASE_PATH:
 CORS_ORIGIN_ALLOW_ALL = getattr(configuration, 'CORS_ORIGIN_ALLOW_ALL', False)
 CORS_ORIGIN_REGEX_WHITELIST = getattr(configuration, 'CORS_ORIGIN_REGEX_WHITELIST', [])
 CORS_ORIGIN_WHITELIST = getattr(configuration, 'CORS_ORIGIN_WHITELIST', [])
+CSRF_TRUSTED_ORIGINS = getattr(configuration, 'CSRF_TRUSTED_ORIGINS', [])
 DATE_FORMAT = getattr(configuration, 'DATE_FORMAT', 'N j, Y')
 DATETIME_FORMAT = getattr(configuration, 'DATETIME_FORMAT', 'N j, Y g:i a')
 DEBUG = getattr(configuration, 'DEBUG', False)
@@ -404,8 +405,6 @@ MESSAGE_TAGS = {
 LOGIN_URL = f'/{BASE_PATH}login/'
 LOGIN_REDIRECT_URL = f'/{BASE_PATH}'
 
-CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS
-
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
 # Exclude potentially sensitive models from wildcard view exemption. These may still be exempted