mirror of
https://github.com/django/django.git
synced 2025-06-05 03:29:12 +00:00
[1.8.x] Fixed #25048 -- Documented that runservers strips headers with underscores.
refs 316b8d49746933d1845d600314b002d9b64d3e3d Backport of 7b6d3104f263d9483982928604b2e51f06126ec1 from master
This commit is contained in:
parent
fe367db35f
commit
340c410d58
@ -170,6 +170,12 @@ All attributes should be considered read-only, unless stated otherwise below.
|
||||
header called ``X-Bender`` would be mapped to the ``META`` key
|
||||
``HTTP_X_BENDER``.
|
||||
|
||||
Note that :djadmin:`runserver` strips all headers with underscores in the
|
||||
name, so you won't see them in ``META``. This prevents header-spoofing
|
||||
based on ambiguity between underscores and dashes both being normalizing to
|
||||
underscores in WSGI environment variables. It matches the behavior of
|
||||
Web servers like Nginx and Apache 2.4+.
|
||||
|
||||
.. attribute:: HttpRequest.user
|
||||
|
||||
An object of type :setting:`AUTH_USER_MODEL` representing the currently
|
||||
|
Loading…
x
Reference in New Issue
Block a user