diff --git a/config/settings.py b/config/settings.py
index 395ce0e..7191634 100644
--- a/config/settings.py
+++ b/config/settings.py
@@ -109,10 +109,16 @@
 ALLOW_LIST = list(set(ALLOW_LIST))
 ALLOWED_HOSTS = ALLOW_LIST
 
-# CSRF_TRUSTED_ORIGINS = [
-#     r"^https://.*\.dbca\.wa\.gov\.au$",
-#     r"^http://127\.0\.0\.1:3000$",
-# ]
+CSRF_TRUSTED_ORIGINS = [
+    "https://scienceprojects-migrated.dbca.wa.gov.au",
+    "https://scienceprojects-test.dbca.wa.gov.au",
+    "https://scienceprojects.dbca.wa.gov.au",
+    "https://profiles-test.dbca.wa.gov.au",
+    "https://profiles-migrated.dbca.wa.gov.au",
+    "https://profiles.dbca.wa.gov.au",
+    "http://127.0.0.1:3000",
+    "http://127.0.0.1",
+]
 
 if DEBUG:
     # Ensure all dbca subroutes allowed and local dev
@@ -195,7 +201,20 @@
 
 INSTALLED_APPS = SYSTEM_APPS + THIRD_PARTY_APPS + CUSTOM_APPS
 
-# HAS NO CSRF
+# # HAS NO CSRF
+# MIDDLEWARE = [
+#     "corsheaders.middleware.CorsMiddleware",
+#     "django.middleware.security.SecurityMiddleware",
+#     "whitenoise.middleware.WhiteNoiseMiddleware",
+#     "django.contrib.sessions.middleware.SessionMiddleware",
+#     "django.contrib.auth.middleware.AuthenticationMiddleware",
+#     "config.dbca_middleware.DBCAMiddleware",
+#     "django.middleware.common.CommonMiddleware",
+#     "django.contrib.messages.middleware.MessageMiddleware",
+#     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+# ]
+
+# if DEBUG:
 MIDDLEWARE = [
     "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
@@ -204,24 +223,11 @@
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "config.dbca_middleware.DBCAMiddleware",
     "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
-if DEBUG:
-    MIDDLEWARE = [
-        "corsheaders.middleware.CorsMiddleware",
-        "django.middleware.security.SecurityMiddleware",
-        "whitenoise.middleware.WhiteNoiseMiddleware",
-        "django.contrib.sessions.middleware.SessionMiddleware",
-        "django.contrib.auth.middleware.AuthenticationMiddleware",
-        "config.dbca_middleware.DBCAMiddleware",
-        "django.middleware.common.CommonMiddleware",
-        "django.middleware.csrf.CsrfViewMiddleware",
-        "django.contrib.messages.middleware.MessageMiddleware",
-        "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    ]
-
 REST_FRAMEWORK = {
     "DEFAULT_PERMISSION_CLASSES": [
         "rest_framework.permissions.IsAuthenticated",