diff --git a/src/booking.py b/src/booking.py
index 1e591a8..a670b8b 100644
--- a/src/booking.py
+++ b/src/booking.py
@@ -7,7 +7,7 @@ import markdown
 
 import requests
 import shortuuid
-from django.conf.global_settings import CSRF_TRUSTED_ORIGINS
+from django.views.decorators.csrf import csrf_exempt
 from django.core.validators import URLValidator
 from django.db import models
 from django.shortcuts import render, get_object_or_404
@@ -40,8 +40,6 @@ app = Django(
     STATICFILES_DIRS=[
         BASE_DIR / "static",
     ],
-    CSRF_TRUSTED_ORIGINS=[host for host in
-                          os.getenv("DJANGO_ALLOWED_HOSTS", "").split(",")]
 )
 
 # Import ninja after nanodjango has been initialised to avoid this error:
@@ -250,6 +248,7 @@ def get_version():
 
 
 @api.get("/info")
+@csrf_exempt
 def info(request):
     if request.user.is_anonymous:
         user = APIKey.objects.get(key=request.auth.key).user
@@ -260,6 +259,7 @@ def info(request):
 
 
 @api.post("/{calendar}/event", response={201: EventSchemaOut})
+@csrf_exempt
 def create_event(request, calendar: str, event: EventSchemaIn):
     user = get_user(request)
     cal = get_object_or_404(Calendar, name=calendar)
@@ -271,6 +271,7 @@ def create_event(request, calendar: str, event: EventSchemaIn):
 
 
 @api.delete("/{calendar}/event/{event_id}", response={204: None})
+@csrf_exempt
 def delete_event(request, calendar: str, event_id: str):
     user = get_user(request)
     cal = get_object_or_404(Calendar, name=calendar)
@@ -286,6 +287,7 @@ app.route("api/", include=api.urls)
 
 
 @app.route("/")
+@csrf_exempt
 def home(request):
     return render(request, "index.html", {
         "content": get_markdown(),