François Freitag
9b15ff08ba
Used auto-numbered lists in documentation.
2018-11-15 13:54:28 -05:00
Tim Graham
6e8508734b
Described how querysets are protected from SQL injection in more detail.
2017-11-01 11:34:17 -04:00
Ed Morley
3c2447dd13
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
2016-08-10 20:23:54 -04:00
Shai Berger
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Tim Graham
f6ca63a9f8
Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.
2016-04-09 07:49:40 -04:00
Tim Graham
15a20dc9af
Removed a reference to Django 1.3.1 in docs.
2016-04-04 11:55:34 -04:00
Tim Graham
f2b45ddd99
Fixed #26206 -- Fixed docs comments causing empty code blocks.
2016-02-11 07:58:15 -05:00
Tim Graham
9c43d8252a
Fixed Sphinx highlight warnings in docs.
2016-01-25 11:57:14 -05:00
Alex Gaynor
d7580e286a
Removed a misleading comment about HTTPS.
...
For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS.
2015-12-21 06:47:11 -05:00
Jon Dufresne
7aabd62380
Fixed #25778 -- Updated docs links to use https when available.
2015-12-01 08:01:34 -05:00
Agnieszka Lasyk
1f8dad6915
Fixed #25755 -- Unified spelling of "website".
2015-11-16 06:44:14 -05:00
David Sanders
cc968b9c90
Added links to new security settings introduced in 1.8.
2015-09-04 12:55:32 -04:00
Claude Paroz
e9c5c39631
Updated various links in docs
2015-08-08 13:57:15 +02:00
Claude Paroz
64982cc2fb
Updated Wikipedia links to use https
2015-08-08 12:02:32 +02:00
Tim Graham
97fa7fe961
Fixed #25212 -- Documented the RawSQL expression.
2015-08-05 07:54:54 -04:00
Carl Meyer
d16bc7f0e4
Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
...
Thanks "djbug" for the report.
2014-09-26 11:07:55 -06:00
Tim Graham
9432f1e750
Fixed some doc errors that caused syntax highlighting to fail.
2014-08-18 20:37:47 -04:00
Tim Graham
f65eb15ac6
Fixed #22504 -- Corrected domain terminology in security guide.
...
Thanks chris at chrullrich.net.
2014-04-25 10:27:13 -04:00
Moayad Mardini
3776926cfe
Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
...
Thanks Erik Romijn for the suggestion.
2014-04-25 09:54:49 -04:00
Tim Graham
4965a77407
Removed PIL compatability layer per deprecation timeline.
...
refs #19934 .
2014-03-21 10:54:53 -04:00
Tim Graham
df6760f12c
Added a warning regarding risks in serving user uploaded media.
...
Thanks Preston Holmes for the draft text.
2013-11-27 16:35:25 -05:00
Tim Graham
a3372f67cb
Added a warning regarding session security and subdomains.
2013-10-18 09:42:45 -04:00
Aymeric Augustin
1267d2d9bc
Fixed #20330 -- Normalized spelling of "web server".
...
Thanks Baptiste Mispelon for the report.
2013-04-29 19:40:43 +02:00
Carl Meyer
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin
ebd2598596
Removed django.contrib.markup.
2012-12-29 21:59:07 +01:00
Tim Graham
b3a8c9dab8
Fixed broken links, round 3. refs #19516
2012-12-26 19:07:22 -05:00
Florian Apolloner
27560924ec
Fixed a security issue in get_host.
...
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
David Fischer
58786897a1
Formatting fix for host headers section
2012-09-06 16:10:08 -04:00
David Fischer
c65100248d
Added CSRF with HTTPS/HSTS and forwarding note
2012-09-06 16:08:14 -04:00
David Fischer
ba141e6906
Added note about Strict Transport Security (HSTS)
2012-09-06 15:13:31 -04:00
Luke Plant
0199bdc0b4
Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.
2012-06-04 21:41:05 +01:00
Luke Plant
718f149bb2
Added more explicit warnings about unconfigured reStructured Text usage in docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00
Adrian Holovaty
d3055b3382
Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:48:27 +00:00
Russell Keith-Magee
893cea211a
Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel
f0280f2e94
Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29 09:39:55 +00:00
Luke Plant
9896b0df73
Grammar fixes and content tweaks to XSS section of security docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17 14:17:26 +00:00
Luke Plant
f5c9c2246e
Improved warning about file uploads in docs, and added link from security overview page
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06 23:44:54 +00:00
Jannis Leidel
3ee076b135
Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14 10:34:52 +00:00
Luke Plant
528157ce73
Fixed #14201 - Add a "security overview" page to the docs
...
Thanks to davidfischer for the initial patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00