From 7b6d3104f263d9483982928604b2e51f06126ec1 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 9 Jul 2015 09:06:28 -0400 Subject: [PATCH] Fixed #25048 -- Documented that runservers strips headers with underscores. refs 316b8d49746933d1845d600314b002d9b64d3e3d --- docs/ref/request-response.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index fbc83bc379..86a9a02172 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -153,6 +153,12 @@ All attributes should be considered read-only, unless stated otherwise below. header called ``X-Bender`` would be mapped to the ``META`` key ``HTTP_X_BENDER``. + Note that :djadmin:`runserver` strips all headers with underscores in the + name, so you won't see them in ``META``. This prevents header-spoofing + based on ambiguity between underscores and dashes both being normalizing to + underscores in WSGI environment variables. It matches the behavior of + Web servers like Nginx and Apache 2.4+. + .. attribute:: HttpRequest.user An object of type :setting:`AUTH_USER_MODEL` representing the currently