Add DEBUG=1 notice to server #1288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ning with DEBUG=1
|
I like this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Running PostHog with
DEBUG=1in production and behind a HTTPS proxy (e.g. nginx) causes issues with the toolbar. Under these conditions theSecureflag will be removed from the session cookie, causing browsers to either display a warning like so:... or (soon?) to not acknowledge to cookie at all. This is especially the case with SameSite=None cookies that we use to get the session ID when running the toolbar on someone's site.
When
DEBUG=1is set, thensettings.SESSION_COOKIE_SECUREis not set as we are assumed to run on HTTP. That is correct behavior, as turning onSecurewhen over HTTP would cause the session cookie to be ignored.This PR adds a warning message that shows when PostHog is running with
DEBUG=1. We should dissuade users from doing this in production. Hopefully those affected will act accordingly.I'll make a separate PR for "running development over https" (probably via ngrok) later.
Checklist