p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[1.4.x] Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection. 

Both false positives and false negatives of HttpRequest.is_secure can be
dangerous.

Backport of 840ffd80ba from master
This commit is contained in:
Luke Plant 2012-06-04 20:39:57 +01:00
parent 3bd937aec2
commit 0a8a6b92b2
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/ref/settings.txt
View File

@ -1605,7 +1605,8 @@ method.
This takes some explanation. By default, ``is_secure()`` is able to determine
whether a request is secure by looking at whether the requested URL uses
"https://".
"https://". This is important for Django's CSRF protection, and may be used
by your own code or third-party apps.
If your Django app is behind a proxy, though, the proxy may be "swallowing" the
fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@ -1635,7 +1636,7 @@ available in ``request.META``.)
.. warning::
**You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.**
**You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
Make sure ALL of the following are true before setting this (assuming the
values from the example above):