From e0a869b208750e179e0924337af1c06929eff72a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Fleschenberg?= Date: Tue, 10 Sep 2019 17:35:36 +0200 Subject: [PATCH] [3.0.x] Clarified that SECURE_REDIRECT_EXEMPT patterns should not include leading slashes. Backport of d232fd76a85870daf345fd8f8d617fe7802ae194 from master --- docs/ref/settings.txt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 75eaf25613e..512220176b8 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2316,8 +2316,11 @@ available in ``request.META``.) Default: ``[]`` (Empty list) If a URL path matches a regular expression in this list, the request will not be -redirected to HTTPS. If :setting:`SECURE_SSL_REDIRECT` is ``False``, this -setting has no effect. +redirected to HTTPS. The +:class:`~django.middleware.security.SecurityMiddleware` strips leading slashes +from URL paths, so patterns shouldn't include them, e.g. +``SECURE_REDIRECT_EXEMPT = [r'^no-ssl/$', …]``. If +:setting:`SECURE_SSL_REDIRECT` is ``False``, this setting has no effect. .. setting:: SECURE_REFERRER_POLICY