Use verbose_csrf_middleware

this should make it so that you get the debug information right at the moment
you're experiencing the problem (rather than having to go to a special page)

bugsink/settings/default.py

@@ -81,7 +81,7 @@ MIDDLEWARE = [
     'whitenoise.middleware.WhiteNoiseMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
+    'verbose_csrf_middleware.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
 
     'bugsink.middleware.LoginRequiredMiddleware',

requirements.txt

@@ -14,3 +14,4 @@ requests  # for sentry-sdk-extensions, which is loaded in non-dev setup too
 monofy
 user_agents
 fastjsonschema
+verbose_csrf_middleware

templates/403_csrf.html

@@ -0,0 +1,19 @@
+{% extends "base.html" %}
+{% comment %}
+Note on security: the basic principle is "the more you expose, the more an attacker knows."
+In this case, I think it should be fine, because all we expose here is stuff about mismatched hosts, and:
+
+1. this will only happen while your site isn't properly configured yet
+2. bugsink recommends a setup with a single host, so this info is literally knowable by looking at the URL bar
+
+{% endcomment %}
+
+{% block title %}403 Forbidden{% endblock %}
+
+{% block content %}
+<div class="m-4">
+<h1 class="text-4xl mt-4 font-bold">CSRF verification failed, request aborted</h1>
+
+<div class="pt-2">{{ reason }}</div>
+</div>
+{% endblock %}