From 840ffd80baad85c05670d6b642f654cffaa93cc3 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Mon, 4 Jun 2012 20:39:57 +0100 Subject: [PATCH] Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection. Both false positives and false negatives of HttpRequest.is_secure can be dangerous. --- docs/ref/settings.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 398c90661b..a1b76f65e1 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1605,7 +1605,8 @@ method. This takes some explanation. By default, ``is_secure()`` is able to determine whether a request is secure by looking at whether the requested URL uses -"https://". +"https://". This is important for Django's CSRF protection, and may be used +by your own code or third-party apps. If your Django app is behind a proxy, though, the proxy may be "swallowing" the fact that a request is HTTPS, using a non-HTTPS connection between the proxy @@ -1635,7 +1636,7 @@ available in ``request.META``.) .. warning:: - **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.** + **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.** Make sure ALL of the following are true before setting this (assuming the values from the example above):