Unable to add new users via admin site, Origin header "null"

[frewmack]

Hello! I'm running seqr using docker compose behind a HAProxy instance, and I'm running into issues with submitting forms in the admin site. The admin site gives me 403 Forbidden errors as a response, and the seqr container logs show this error:

seqr | 2024-10-28T18:36:32.460793914Z {"timestamp": "2024-10-28 18:36:32,459", "severity": "WARNING", "message": "Forbidden (Origin checking failed - null does not match any trusted origins.): /admin/auth/user/add/"}

The browser sends null as the value for the HTTP "Origin" header, and I'm not sure how to correct this behaviour. This only seems to happen in the admin site; other POST requests within seqr correctly set the Origin header to the site's domain as expected (eg. adding/removing users from projects).

I've checked this prior discussion and can confirm that my domain name is in the settings.py as expected. The problem is that POST requests from the admin site (seqr.<domain>.com/admin/) set the request Origin header as null for some reason.

Please let me know if there's anything I can do to fix this, or if there's any additional information needed. Thanks!

[hanars]

In our production instance of seqr the django admin does set the Origin header correctly. Are you sure this is an issue with the seqr app and not an issue with your proxy?

[frewmack]

You're correct, this was an issue with our proxy. Our proxy was setting the Referrer-Policy header to no-referrer, which makes the browser set the Origin header to null as outlined in the Mozilla MDN Developer docs. We changed it to same-origin and the admin site works again. Thanks for the help!

[hanars]

glad to hear its resolved!