From d232fd76a85870daf345fd8f8d617fe7802ae194 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Fleschenberg?= <rene@fleschenberg.net>
Date: Tue, 10 Sep 2019 17:35:36 +0200
Subject: [PATCH] Clarified that SECURE_REDIRECT_EXEMPT patterns should not
 include leading slashes.

---
 docs/ref/settings.txt | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 4405d152b22..dac9502abbd 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2306,8 +2306,11 @@ available in ``request.META``.)
 Default: ``[]`` (Empty list)
 
 If a URL path matches a regular expression in this list, the request will not be
-redirected to HTTPS. If :setting:`SECURE_SSL_REDIRECT` is ``False``, this
-setting has no effect.
+redirected to HTTPS. The
+:class:`~django.middleware.security.SecurityMiddleware` strips leading slashes
+from URL paths, so patterns shouldn't include them, e.g.
+``SECURE_REDIRECT_EXEMPT = [r'^no-ssl/$', …]``. If
+:setting:`SECURE_SSL_REDIRECT` is ``False``, this setting has no effect.
 
 .. setting:: SECURE_REFERRER_POLICY