mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection.
Both false positives and false negatives of HttpRequest.is_secure can be dangerous.
This commit is contained in:
		| @@ -1605,7 +1605,8 @@ method. | |||||||
|  |  | ||||||
| This takes some explanation. By default, ``is_secure()`` is able to determine | This takes some explanation. By default, ``is_secure()`` is able to determine | ||||||
| whether a request is secure by looking at whether the requested URL uses | whether a request is secure by looking at whether the requested URL uses | ||||||
| "https://". | "https://". This is important for Django's CSRF protection, and may be used | ||||||
|  | by your own code or third-party apps. | ||||||
|  |  | ||||||
| If your Django app is behind a proxy, though, the proxy may be "swallowing" the | If your Django app is behind a proxy, though, the proxy may be "swallowing" the | ||||||
| fact that a request is HTTPS, using a non-HTTPS connection between the proxy | fact that a request is HTTPS, using a non-HTTPS connection between the proxy | ||||||
| @@ -1635,7 +1636,7 @@ available in ``request.META``.) | |||||||
|  |  | ||||||
| .. warning:: | .. warning:: | ||||||
|  |  | ||||||
|     **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.** |     **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.** | ||||||
|  |  | ||||||
|     Make sure ALL of the following are true before setting this (assuming the |     Make sure ALL of the following are true before setting this (assuming the | ||||||
|     values from the example above): |     values from the example above): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user