config/settings.py

@@ -20,8 +20,13 @@ load_dotenv(BASE_DIR.parent / ".env")
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "change-me")
 DEBUG = os.getenv("DJANGO_DEBUG", "true").lower() == "true"
 
-# Allow all hosts to avoid 404/400 errors during initial deployment
-ALLOWED_HOSTS = ["*"]
+ALLOWED_HOSTS = [
+    "127.0.0.1",
+    "localhost",
+    os.getenv("HOST_FQDN", ""),
+    ".sslip.io",
+    ".coolify.io",
+]
 
 CSRF_TRUSTED_ORIGINS = [
     origin for origin in [
@@ -33,8 +38,8 @@ CSRF_TRUSTED_ORIGINS = [
     f"https://{host}" if not host.startswith(("http://", "https://")) else host
     for host in CSRF_TRUSTED_ORIGINS
 ]
-# Add the current sslip domain if known, or rely on wildcard matching (Django 4.0+ requires explicit trusted origins for CSRF)
-# For now, we rely on the user setting HOST_FQDN correctly.
+# Also allow sslip/coolify for CSRF if needed (wildcards not supported in CSRF_TRUSTED_ORIGINS, requires exact match)
+# Users must set HOST_FQDN or CSRF_TRUSTED_ORIGIN for POST requests to work on these domains.
 
 # Cookies must always be HTTPS-only; SameSite=Lax keeps CSRF working behind the proxy.
 SESSION_COOKIE_SECURE = True

config/urls.py

@@ -3,7 +3,6 @@ from django.urls import path, include
 from django.conf import settings
 from django.conf.urls.static import static
 from django.conf.urls.i18n import i18n_patterns
-from django.http import HttpResponse
 
 from rest_framework import permissions
 from drf_yasg.views import get_schema_view
@@ -23,7 +22,6 @@ schema_view = get_schema_view(
 )
 
 urlpatterns = [
-    path('health/', lambda request: HttpResponse("OK")),  # Simple health check
     path('i18n/', include('django.conf.urls.i18n')),
     # Swagger / Redoc
     path('swagger<format>/', schema_view.without_ui(cache_timeout=0), name='schema-json'),

requirements.txt

@@ -10,4 +10,3 @@ drf-yasg
 gunicorn==22.0.0
 django-cors-headers
 django-admin-rangefilter
-requests