From 233ec837f611fb8da56b8e67f9a95854470c0df8 Mon Sep 17 00:00:00 2001 From: Ed Morley Date: Thu, 28 Jul 2016 17:30:16 +0100 Subject: [PATCH] [1.10.x] Fixed docs to refer to HSTS includeSubdomains as a directive. The spec refers to it as a 'directive' rather than a 'tag': https://tools.ietf.org/html/rfc6797#section-6.1.2 Backport of 8c3bc5cd7801a307a0bc2969abebe7a6ca48d17f from master --- docs/ref/middleware.txt | 4 ++-- docs/ref/settings.txt | 2 +- tests/middleware/test_security.py | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt index 961e4a272f..2d1d0f9604 100644 --- a/docs/ref/middleware.txt +++ b/docs/ref/middleware.txt @@ -249,8 +249,8 @@ so that infrequent visitors will be protected (31536000 seconds, i.e. 1 year, is common). Additionally, if you set the :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` setting -to ``True``, ``SecurityMiddleware`` will add the ``includeSubDomains`` tag to -the ``Strict-Transport-Security`` header. This is recommended (assuming all +to ``True``, ``SecurityMiddleware`` will add the ``includeSubDomains`` directive +to the ``Strict-Transport-Security`` header. This is recommended (assuming all subdomains are served exclusively using HTTPS), otherwise your site may still be vulnerable via an insecure connection to a subdomain. diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 3cb6b0408e..7e83d424d7 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2040,7 +2040,7 @@ already have it. Default: ``False`` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` adds -the ``includeSubDomains`` tag to the :ref:`http-strict-transport-security` +the ``includeSubDomains`` directive to the :ref:`http-strict-transport-security` header. It has no effect unless :setting:`SECURE_HSTS_SECONDS` is set to a non-zero value. diff --git a/tests/middleware/test_security.py b/tests/middleware/test_security.py index 2b6a54eb17..f671600c49 100644 --- a/tests/middleware/test_security.py +++ b/tests/middleware/test_security.py @@ -83,7 +83,7 @@ class SecurityMiddlewareTest(SimpleTestCase): """ With HSTS_SECONDS non-zero and HSTS_INCLUDE_SUBDOMAINS True, the middleware adds a "strict-transport-security" header with the - "includeSubDomains" tag to the response. + "includeSubDomains" directive to the response. """ response = self.process_response(secure=True) self.assertEqual(response["strict-transport-security"], "max-age=600; includeSubDomains") @@ -94,7 +94,7 @@ class SecurityMiddlewareTest(SimpleTestCase): """ With HSTS_SECONDS non-zero and HSTS_INCLUDE_SUBDOMAINS False, the middleware adds a "strict-transport-security" header without - the "includeSubDomains" tag to the response. + the "includeSubDomains" directive to the response. """ response = self.process_response(secure=True) self.assertEqual(response["strict-transport-security"], "max-age=600")