mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-06-05 03:29:12 +00:00
Code Issues 32 Releases Wiki Activity

[1.4.x] Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection.

Browse Source 
Both false positives and false negatives of HttpRequest.is_secure can be
dangerous.

Backport of 840ffd80ba from master
This commit is contained in:
Luke Plant 2012-06-04 20:39:57 +01:00
parent 3bd937aec2
commit 0a8a6b92b2
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/ref/settings.txt
View File

@ -1605,7 +1605,8 @@ method.
This takes some explanation. By default, ``is_secure()`` is able to determine This takes some explanation. By default, ``is_secure()`` is able to determine
whether a request is secure by looking at whether the requested URL uses whether a request is secure by looking at whether the requested URL uses
"https://". "https://". This is important for Django's CSRF protection, and may be used
by your own code or third-party apps.
If your Django app is behind a proxy, though, the proxy may be "swallowing" the If your Django app is behind a proxy, though, the proxy may be "swallowing" the
fact that a request is HTTPS, using a non-HTTPS connection between the proxy fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@ -1635,7 +1636,7 @@ available in ``request.META``.)
.. warning:: .. warning::
**You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.** **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
Make sure ALL of the following are true before setting this (assuming the Make sure ALL of the following are true before setting this (assuming the
values from the example above): values from the example above):