3c2447dd13
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
2016-08-10 20:23:54 -04:00
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
f6ca63a9f8
Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.
2016-04-09 07:49:40 -04:00
15a20dc9af
Removed a reference to Django 1.3.1 in docs.
2016-04-04 11:55:34 -04:00
f2b45ddd99
Fixed #26206 -- Fixed docs comments causing empty code blocks.
2016-02-11 07:58:15 -05:00
9c43d8252a
Fixed Sphinx highlight warnings in docs.
2016-01-25 11:57:14 -05:00
d7580e286a
Removed a misleading comment about HTTPS.
...
For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS.
2015-12-21 06:47:11 -05:00
7aabd62380
Fixed #25778 -- Updated docs links to use https when available.
2015-12-01 08:01:34 -05:00
1f8dad6915
Fixed #25755 -- Unified spelling of "website".
2015-11-16 06:44:14 -05:00
cc968b9c90
Added links to new security settings introduced in 1.8.
2015-09-04 12:55:32 -04:00
e9c5c39631
Updated various links in docs
2015-08-08 13:57:15 +02:00
64982cc2fb
Updated Wikipedia links to use https
2015-08-08 12:02:32 +02:00
97fa7fe961
Fixed #25212 -- Documented the RawSQL expression.
2015-08-05 07:54:54 -04:00
d16bc7f0e4
Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
...
Thanks "djbug" for the report.
2014-09-26 11:07:55 -06:00
9432f1e750
Fixed some doc errors that caused syntax highlighting to fail.
2014-08-18 20:37:47 -04:00
f65eb15ac6
Fixed #22504 -- Corrected domain terminology in security guide.
...
Thanks chris at chrullrich.net.
2014-04-25 10:27:13 -04:00
3776926cfe
Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
...
Thanks Erik Romijn for the suggestion.
2014-04-25 09:54:49 -04:00
4965a77407
Removed PIL compatability layer per deprecation timeline.
...
refs #19934 .
2014-03-21 10:54:53 -04:00
df6760f12c
Added a warning regarding risks in serving user uploaded media.
...
Thanks Preston Holmes for the draft text.
2013-11-27 16:35:25 -05:00
a3372f67cb
Added a warning regarding session security and subdomains.
2013-10-18 09:42:45 -04:00
1267d2d9bc
Fixed #20330 -- Normalized spelling of "web server".
...
Thanks Baptiste Mispelon for the report.
2013-04-29 19:40:43 +02:00
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
ebd2598596
Removed django.contrib.markup.
2012-12-29 21:59:07 +01:00
b3a8c9dab8
Fixed broken links, round 3. refs #19516
2012-12-26 19:07:22 -05:00
27560924ec
Fixed a security issue in get_host.
...
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
58786897a1
Formatting fix for host headers section
2012-09-06 16:10:08 -04:00
c65100248d
Added CSRF with HTTPS/HSTS and forwarding note
2012-09-06 16:08:14 -04:00
ba141e6906
Added note about Strict Transport Security (HSTS)
2012-09-06 15:13:31 -04:00
0199bdc0b4
Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.
2012-06-04 21:41:05 +01:00
718f149bb2
Added more explicit warnings about unconfigured reStructured Text usage in docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00
d3055b3382
Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:48:27 +00:00
893cea211a
Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
f0280f2e94
Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29 09:39:55 +00:00
9896b0df73
Grammar fixes and content tweaks to XSS section of security docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17 14:17:26 +00:00
f5c9c2246e
Improved warning about file uploads in docs, and added link from security overview page
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06 23:44:54 +00:00
3ee076b135
Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14 10:34:52 +00:00
528157ce73
Fixed #14201 - Add a "security overview" page to the docs
...
Thanks to davidfischer for the initial patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00
Ed Morley
Shai Berger
Tim Graham
Alex Gaynor
Jon Dufresne
Agnieszka Lasyk
David Sanders
Claude Paroz
Carl Meyer
Moayad Mardini
Aymeric Augustin
Florian Apolloner
David Fischer
Luke Plant
Adrian Holovaty
Russell Keith-Magee
Jannis Leidel