David Smith 
							
						 
					 
					
						
						
							
						
						10df5b7177 
					 
					
						
						
							
							Refs  #31670  -- Removed whitelist/blacklist terminology in docs and comments.  
						
						
						
						
					 
					
						2020-06-17 13:15:56 +02:00 
						 
				 
			
				
					
						
							
							
								Hasan Ramezani 
							
						 
					 
					
						
						
							
						
						a16080810b 
					 
					
						
						
							
							Fixed   #31696  -- Updated OWASP links in docs.  
						
						
						
						
					 
					
						2020-06-15 09:44:08 +02:00 
						 
				 
			
				
					
						
							
							
								Mads Jensen 
							
						 
					 
					
						
						
							
						
						060d9d4229 
					 
					
						
						
							
							Added link to Mozilla's infosec page on web security.  
						
						
						
						
					 
					
						2020-04-22 16:26:15 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						678f958ef9 
					 
					
						
						
							
							Fixed highlightlang deprecation warning on Sphinx 1.8+.  
						
						
						
						
					 
					
						2020-04-07 09:48:52 +02:00 
						 
				 
			
				
					
						
							
							
								Nick Pope 
							
						 
					 
					
						
						
							
						
						406dba04e1 
					 
					
						
						
							
							Fixed   #29406  -- Added support for Referrer-Policy header.  
						
						... 
						
						
						
						Thanks to James Bennett for the initial implementation. 
						
						
					 
					
						2019-09-09 13:35:41 +02:00 
						 
				 
			
				
					
						
							
							
								Tobias Kunze 
							
						 
					 
					
						
						
							
						
						4a954cfd11 
					 
					
						
						
							
							Fixed   #30573  -- Rephrased documentation to avoid words that minimise the involved difficulty.  
						
						... 
						
						
						
						This patch does not remove all occurrences of the words in question.
Rather, I went through all of the occurrences of the words listed
below, and judged if they a) suggested the reader had some kind of
knowledge/experience, and b) if they added anything of value (including
tone of voice, etc). I left most of the words alone. I looked at the
following words:
- simply/simple
- easy/easier/easiest
- obvious
- just
- merely
- straightforward
- ridiculous
Thanks to Carlton Gibson for guidance on how to approach this issue, and
to Tim Bell for providing the idea. But the enormous lion's share of
thanks go to Adam Johnson for his patient and helpful review. 
						
						
					 
					
						2019-09-06 13:27:46 +02:00 
						 
				 
			
				
					
						
							
							
								Vedran Karačić 
							
						 
					 
					
						
						
							
						
						293db9eb36 
					 
					
						
						
							
							Updated OWASP Top 10 link to the latest version.  
						
						
						
						
					 
					
						2018-12-27 09:23:40 -05:00 
						 
				 
			
				
					
						
							
							
								François Freitag 
							
						 
					 
					
						
						
							
						
						9b15ff08ba 
					 
					
						
						
							
							Used auto-numbered lists in documentation.  
						
						
						
						
					 
					
						2018-11-15 13:54:28 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						6e8508734b 
					 
					
						
						
							
							Described how querysets are protected from SQL injection in more detail.  
						
						
						
						
					 
					
						2017-11-01 11:34:17 -04:00 
						 
				 
			
				
					
						
							
							
								Ed Morley 
							
						 
					 
					
						
						
							
						
						3c2447dd13 
					 
					
						
						
							
							Fixed   #26947  -- Added an option to enable the HSTS header preload directive.  
						
						
						
						
					 
					
						2016-08-10 20:23:54 -04:00 
						 
				 
			
				
					
						
							
							
								Shai Berger 
							
						 
					 
					
						
						
							
						
						5112e65ef2 
					 
					
						
						
							
							Fixed   #20869  -- made CSRF tokens change every request by salt-encrypting them  
						
						... 
						
						
						
						Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews. 
						
						
					 
					
						2016-05-19 05:02:19 +03:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						f6ca63a9f8 
					 
					
						
						
							
							Refs  #26464  -- Added a link to OWASP Top 10 in security topic guide.  
						
						
						
						
					 
					
						2016-04-09 07:49:40 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						15a20dc9af 
					 
					
						
						
							
							Removed a reference to Django 1.3.1 in docs.  
						
						
						
						
					 
					
						2016-04-04 11:55:34 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						f2b45ddd99 
					 
					
						
						
							
							Fixed   #26206  -- Fixed docs comments causing empty code blocks.  
						
						
						
						
					 
					
						2016-02-11 07:58:15 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						9c43d8252a 
					 
					
						
						
							
							Fixed Sphinx highlight warnings in docs.  
						
						
						
						
					 
					
						2016-01-25 11:57:14 -05:00 
						 
				 
			
				
					
						
							
							
								Alex Gaynor 
							
						 
					 
					
						
						
							
						
						d7580e286a 
					 
					
						
						
							
							Removed a misleading comment about HTTPS.  
						
						... 
						
						
						
						For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS. 
						
						
					 
					
						2015-12-21 06:47:11 -05:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						7aabd62380 
					 
					
						
						
							
							Fixed   #25778  -- Updated docs links to use https when available.  
						
						
						
						
					 
					
						2015-12-01 08:01:34 -05:00 
						 
				 
			
				
					
						
							
							
								Agnieszka Lasyk 
							
						 
					 
					
						
						
							
						
						1f8dad6915 
					 
					
						
						
							
							Fixed   #25755  -- Unified spelling of "website".  
						
						
						
						
					 
					
						2015-11-16 06:44:14 -05:00 
						 
				 
			
				
					
						
							
							
								David Sanders 
							
						 
					 
					
						
						
							
						
						cc968b9c90 
					 
					
						
						
							
							Added links to new security settings introduced in 1.8.  
						
						
						
						
					 
					
						2015-09-04 12:55:32 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						e9c5c39631 
					 
					
						
						
							
							Updated various links in docs  
						
						
						
						
					 
					
						2015-08-08 13:57:15 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						64982cc2fb 
					 
					
						
						
							
							Updated Wikipedia links to use https  
						
						
						
						
					 
					
						2015-08-08 12:02:32 +02:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						97fa7fe961 
					 
					
						
						
							
							Fixed   #25212  -- Documented the RawSQL expression.  
						
						
						
						
					 
					
						2015-08-05 07:54:54 -04:00 
						 
				 
			
				
					
						
							
							
								Carl Meyer 
							
						 
					 
					
						
						
							
						
						d16bc7f0e4 
					 
					
						
						
							
							Fixed   #23561  -- Corrected a security doc example that requires an unquoted HTML attribute.  
						
						... 
						
						
						
						Thanks "djbug" for the report. 
						
						
					 
					
						2014-09-26 11:07:55 -06:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						9432f1e750 
					 
					
						
						
							
							Fixed some doc errors that caused syntax highlighting to fail.  
						
						
						
						
					 
					
						2014-08-18 20:37:47 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						f65eb15ac6 
					 
					
						
						
							
							Fixed   #22504  -- Corrected domain terminology in security guide.  
						
						... 
						
						
						
						Thanks chris at chrullrich.net. 
						
						
					 
					
						2014-04-25 10:27:13 -04:00 
						 
				 
			
				
					
						
							
							
								Moayad Mardini 
							
						 
					 
					
						
						
							
						
						3776926cfe 
					 
					
						
						
							
							Fixed   #22493  - Added warnings to raw() and extra() docs about SQL injection  
						
						... 
						
						
						
						Thanks Erik Romijn for the suggestion. 
						
						
					 
					
						2014-04-25 09:54:49 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						4965a77407 
					 
					
						
						
							
							Removed PIL compatability layer per deprecation timeline.  
						
						... 
						
						
						
						refs #19934 . 
						
						
					 
					
						2014-03-21 10:54:53 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						df6760f12c 
					 
					
						
						
							
							Added a warning regarding risks in serving user uploaded media.  
						
						... 
						
						
						
						Thanks Preston Holmes for the draft text. 
						
						
					 
					
						2013-11-27 16:35:25 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						a3372f67cb 
					 
					
						
						
							
							Added a warning regarding session security and subdomains.  
						
						
						
						
					 
					
						2013-10-18 09:42:45 -04:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						1267d2d9bc 
					 
					
						
						
							
							Fixed   #20330  -- Normalized spelling of "web server".  
						
						... 
						
						
						
						Thanks Baptiste Mispelon for the report. 
						
						
					 
					
						2013-04-29 19:40:43 +02:00 
						 
				 
			
				
					
						
							
							
								Carl Meyer 
							
						 
					 
					
						
						
							
						
						d51fb74360 
					 
					
						
						
							
							Added a new required ALLOWED_HOSTS setting for HTTP host header validation.  
						
						... 
						
						
						
						This is a security fix; disclosure and advisory coming shortly. 
						
						
					 
					
						2013-02-19 11:23:29 -07:00 
						 
				 
			
				
					
						
							
							
								Aymeric Augustin 
							
						 
					 
					
						
						
							
						
						ebd2598596 
					 
					
						
						
							
							Removed django.contrib.markup.  
						
						
						
						
					 
					
						2012-12-29 21:59:07 +01:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						b3a8c9dab8 
					 
					
						
						
							
							Fixed broken links, round 3. refs  #19516  
						
						
						
						
					 
					
						2012-12-26 19:07:22 -05:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						27560924ec 
					 
					
						
						
							
							Fixed a security issue in get_host.  
						
						... 
						
						
						
						Full disclosure and new release forthcoming. 
						
						
					 
					
						2012-12-10 22:11:40 +01:00 
						 
				 
			
				
					
						
							
							
								David Fischer 
							
						 
					 
					
						
						
							
						
						58786897a1 
					 
					
						
						
							
							Formatting fix for host headers section  
						
						
						
						
					 
					
						2012-09-06 16:10:08 -04:00 
						 
				 
			
				
					
						
							
							
								David Fischer 
							
						 
					 
					
						
						
							
						
						c65100248d 
					 
					
						
						
							
							Added CSRF with HTTPS/HSTS and forwarding note  
						
						
						
						
					 
					
						2012-09-06 16:08:14 -04:00 
						 
				 
			
				
					
						
							
							
								David Fischer 
							
						 
					 
					
						
						
							
						
						ba141e6906 
					 
					
						
						
							
							Added note about Strict Transport Security (HSTS)  
						
						
						
						
					 
					
						2012-09-06 15:13:31 -04:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						0199bdc0b4 
					 
					
						
						
							
							Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.  
						
						
						
						
					 
					
						2012-06-04 21:41:05 +01:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						718f149bb2 
					 
					
						
						
							
							Added more explicit warnings about unconfigured reStructured Text usage in docs.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2012-04-19 15:00:55 +00:00 
						 
				 
			
				
					
						
							
							
								Adrian Holovaty 
							
						 
					 
					
						
						
							
						
						d3055b3382 
					 
					
						
						
							
							Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-12-17 02:48:27 +00:00 
						 
				 
			
				
					
						
							
							
								Russell Keith-Magee 
							
						 
					 
					
						
						
							
						
						893cea211a 
					 
					
						
						
							
							Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-09-10 00:46:38 +00:00 
						 
				 
			
				
					
						
							
							
								Jannis Leidel 
							
						 
					 
					
						
						
							
						
						f0280f2e94 
					 
					
						
						
							
							Fixes   #16482  -- Fixes typo in security docs. Thanks, charettes.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-07-29 09:39:55 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						9896b0df73 
					 
					
						
						
							
							Grammar fixes and content tweaks to XSS section of security docs.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-07-17 14:17:26 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						f5c9c2246e 
					 
					
						
						
							
							Improved warning about file uploads in docs, and added link from security overview page  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-07-06 23:44:54 +00:00 
						 
				 
			
				
					
						
							
							
								Jannis Leidel 
							
						 
					 
					
						
						
							
						
						3ee076b135 
					 
					
						
						
							
							Fixed   #16248  -- Corrected a few typos in the security docs. Thanks, buddelkiste.  
						
						... 
						
						
						
						git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-06-14 10:34:52 +00:00 
						 
				 
			
				
					
						
							
							
								Luke Plant 
							
						 
					 
					
						
						
							
						
						528157ce73 
					 
					
						
						
							
							Fixed   #14201  - Add a "security overview" page to the docs  
						
						... 
						
						
						
						Thanks to davidfischer for the initial patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360  bcc190cf-cafb-0310-a4f2-bffc1f526a37 
						
						
					 
					
						2011-06-10 15:14:36 +00:00