Domain change broke the site

Question

Domain change broke the site

Closed this issue 4 years ago · 3 comments

Just realised that adding the ads after domain change was not working.

Found this in the logs

HTTP Origin header (https://www.potres-petrinja.hr) didn't match request.base_url (http://www.potres-petrinja.hr)
Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 117)
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

Answer 1 · 2021-01-01T12:40:35.000Z

After switching back to potres.herokuapp.com as canonical url everything works again.

Answer 2 · 2021-01-01T20:01:39.000Z

Is Cloudflare SSL set up to "Flexible", because in that case Cloudflare connects to Heroku server via HTTP to serve content, but end user is viewing HTTPS and sends HTTPS request so there is mismatch between those. You can setup Cloudflare to use "Full" SSL so Cloudflare connects to Heroku via HTTPS.
https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options

Other solution is to disable origin checking and then it will work. This is not really a best security solution because of CSRF attacks, but we don't have any sensitive data and requests so maybe it is good enough for current use case.
config.action_controller.forgery_protection_origin_check = false

You can also create middleware, described here https://stackoverflow.com/questions/55109859/trestle-http-origin-header-https-didnt-match-request-base-url-http

Answer 3 · 2021-01-02T01:56:53.000Z

Thanks @scandal47

Switch to "Full (Strict)" fixed it. Forgot to check that in a hurry. We are running on www.potres-petrinja.hr again.