p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Standardized links for headers in security middleware documentation.

This commit is contained in:
Nick Pope 2019-03-24 21:26:04 +00:00 committed by Carlton Gibson
parent 7254f1138d
commit fc62e16291
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/ref/middleware.txt
View File

@ -197,7 +197,7 @@ HTTP Strict Transport Security
For sites that should only be accessed over HTTPS, you can instruct modern For sites that should only be accessed over HTTPS, you can instruct modern
browsers to refuse to connect to your domain name via an insecure connection browsers to refuse to connect to your domain name via an insecure connection
(for a given period of time) by setting the `"Strict-Transport-Security" (for a given period of time) by setting the `"Strict-Transport-Security"
header`_. This reduces your exposure to some SSL-stripping man-in-the-middle header`__. This reduces your exposure to some SSL-stripping man-in-the-middle
(MITM) attacks. (MITM) attacks.
``SecurityMiddleware`` will set this header for you on all HTTPS responses if ``SecurityMiddleware`` will set this header for you on all HTTPS responses if
@ -238,7 +238,7 @@ If you wish to submit your site to the `browser preload list`_, set the
it may be because Django doesn't realize that it's on a secure connection; it may be because Django doesn't realize that it's on a secure connection;
you may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting. you may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting.
.. _"Strict-Transport-Security" header: https://en.wikipedia.org/wiki/Strict_Transport_Security __ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
.. _browser preload list: https://hstspreload.org/ .. _browser preload list: https://hstspreload.org/
.. _x-content-type-options: .. _x-content-type-options:
@ -281,7 +281,7 @@ attack`_. They work by looking for JavaScript content in the GET or POST
parameters of a page. If the JavaScript is replayed in the server's response, parameters of a page. If the JavaScript is replayed in the server's response,
the page is blocked from rendering and an error page is shown instead. the page is blocked from rendering and an error page is shown instead.
The `X-XSS-Protection header`_ is used to control the operation of the The `X-XSS-Protection header`__ is used to control the operation of the
XSS filter. XSS filter.
To enable the XSS filter in the browser, and force it to always block To enable the XSS filter in the browser, and force it to always block
@ -296,7 +296,7 @@ header. ``SecurityMiddleware`` will do this for all responses if the
sanitizing <cross-site-scripting>` all input to prevent XSS attacks. sanitizing <cross-site-scripting>` all input to prevent XSS attacks.
.. _XSS attack: https://en.wikipedia.org/wiki/Cross-site_scripting .. _XSS attack: https://en.wikipedia.org/wiki/Cross-site_scripting
.. _X-XSS-Protection header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection __ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
.. _ssl-redirect: .. _ssl-redirect: