We use django 1.8. on backend with default authorization that runs on elasticbeanstalk and AWS CloudFront to cache app pages on CDN level. The problem is that we want to whitelist as few http headers as possible to minimize keys amount and maximize hit rate. One of the headers that varies a lot and we would prefer to exclude is HTTP_REFERER. On business level we are fine with resolving referer through js by using document.referer and that sending it to server with ajax calls.
The problem: csrf login, registration and other default django authentification apps require HTTP_REFERER when used on website on https protocol.
One of the solutions I found is to move all auth pages to separate behaviours and proxy all headers there. Are there any other ways to make such set up work?
I don't think there's another solution then the one you mention, use a separate behavior.
I usually use rest api calls from frontend to backend so I don't need the Referer header there.
Then add an extra behavior for /admin/ where I do forward Referer.