innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection. 

Both false positives and false negatives of HttpRequest.is_secure can be
dangerous.
This commit is contained in:
Luke Plant 2012-06-04 20:39:57 +01:00
parent 0199bdc0b4
commit 840ffd80ba
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/ref/settings.txt
View File

@ -1605,7 +1605,8 @@ method.
This takes some explanation. By default, ``is_secure()`` is able to determine This takes some explanation. By default, ``is_secure()`` is able to determine
whether a request is secure by looking at whether the requested URL uses whether a request is secure by looking at whether the requested URL uses
"https://". "https://". This is important for Django's CSRF protection, and may be used
by your own code or third-party apps.
If your Django app is behind a proxy, though, the proxy may be "swallowing" the If your Django app is behind a proxy, though, the proxy may be "swallowing" the
fact that a request is HTTPS, using a non-HTTPS connection between the proxy fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@ -1635,7 +1636,7 @@ available in ``request.META``.)
.. warning:: .. warning::
**You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.** **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
Make sure ALL of the following are true before setting this (assuming the Make sure ALL of the following are true before setting this (assuming the
values from the example above): values from the example above):