Fixed #25048 -- Documented that runservers strips headers with underscores.

refs 316b8d4974
2015-07-09 09:06:28 -04:00 · 2015-07-09 09:06:28 -04:00 · 7b6d3104f2
parent 3d650e80ad
commit 7b6d3104f2
1 changed files with 6 additions and 0 deletions
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@ -153,6 +153,12 @@ All attributes should be considered read-only, unless stated otherwise below.
    header called ``X-Bender`` would be mapped to the ``META`` key
    ``HTTP_X_BENDER``.

+    Note that :djadmin:`runserver` strips all headers with underscores in the
+    name, so you won't see them in ``META``. This prevents header-spoofing
+    based on ambiguity between underscores and dashes both being normalizing to
+    underscores in WSGI environment variables. It matches the behavior of
+    Web servers like Nginx and Apache 2.4+.
+
 .. attribute:: HttpRequest.user

    An object of type :setting:`AUTH_USER_MODEL` representing the currently