diff --git a/galaxy/README.md b/galaxy/README.md
index 8699201..793e42c 100644
--- a/galaxy/README.md
+++ b/galaxy/README.md
@@ -244,7 +244,7 @@ GALAXY_HOST="galaxy.example.com"
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out ./pulp/tls.crt -keyout ./pulp/tls.key -subj "/CN=${GALAXY_HOST}/O=${GALAXY_HOST}" -addext "subjectAltName = DNS:${GALAXY_HOST}"
 ```
 
-Modify `ingress_host` in `pulp/galaxy.yaml`.
+Modify `ingress_host` and `CSRF_TRUSTED_ORIGINS` in `pulp/galaxy.yaml`.
 
 ```yaml
 ...
@@ -254,6 +254,11 @@ spec:
   ingress_class_name: traefik
   ingress_tls_secret: galaxy-secret-tls
   ingress_host: galaxy.example.com     👈👈👈
+  ...
+  pulp_settings:
+    ...
+    CSRF_TRUSTED_ORIGINS:
+      - https://galaxy.example.com     👈👈👈
 ...
 ```
 
diff --git a/galaxy/pulp/galaxy.yaml b/galaxy/pulp/galaxy.yaml
index 5e93bcc..944f518 100644
--- a/galaxy/pulp/galaxy.yaml
+++ b/galaxy/pulp/galaxy.yaml
@@ -30,6 +30,8 @@ spec:
   pulp_settings:
     TOKEN_AUTH_DISABLED: "True"
     GALAXY_FEATURE_FLAGS__ai_deny_index: "True"
+    CSRF_TRUSTED_ORIGINS:
+      - https://galaxy.example.com
 
   api:
     replicas: 1