Commit Graph

44 Commits

Author SHA1 Message Date
Mads Jensen 060d9d4229
Added link to Mozilla's infosec page on web security. 2020-04-22 16:26:15 +02:00
Mariusz Felisiak 678f958ef9 Fixed highlightlang deprecation warning on Sphinx 1.8+. 2020-04-07 09:48:52 +02:00
Nick Pope 406dba04e1 Fixed #29406 -- Added support for Referrer-Policy header.
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
Tobias Kunze 4a954cfd11 Fixed #30573 -- Rephrased documentation to avoid words that minimise the involved difficulty.
This patch does not remove all occurrences of the words in question.
Rather, I went through all of the occurrences of the words listed
below, and judged if they a) suggested the reader had some kind of
knowledge/experience, and b) if they added anything of value (including
tone of voice, etc). I left most of the words alone. I looked at the
following words:

- simply/simple
- easy/easier/easiest
- obvious
- just
- merely
- straightforward
- ridiculous

Thanks to Carlton Gibson for guidance on how to approach this issue, and
to Tim Bell for providing the idea. But the enormous lion's share of
thanks go to Adam Johnson for his patient and helpful review.
2019-09-06 13:27:46 +02:00
Vedran Karačić 293db9eb36 Updated OWASP Top 10 link to the latest version. 2018-12-27 09:23:40 -05:00
François Freitag 9b15ff08ba Used auto-numbered lists in documentation. 2018-11-15 13:54:28 -05:00
Tim Graham 6e8508734b Described how querysets are protected from SQL injection in more detail. 2017-11-01 11:34:17 -04:00
Ed Morley 3c2447dd13 Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-08-10 20:23:54 -04:00
Shai Berger 5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Tim Graham f6ca63a9f8 Refs #26464 -- Added a link to OWASP Top 10 in security topic guide. 2016-04-09 07:49:40 -04:00
Tim Graham 15a20dc9af Removed a reference to Django 1.3.1 in docs. 2016-04-04 11:55:34 -04:00
Tim Graham f2b45ddd99 Fixed #26206 -- Fixed docs comments causing empty code blocks. 2016-02-11 07:58:15 -05:00
Tim Graham 9c43d8252a Fixed Sphinx highlight warnings in docs. 2016-01-25 11:57:14 -05:00
Alex Gaynor d7580e286a Removed a misleading comment about HTTPS.
For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS.
2015-12-21 06:47:11 -05:00
Jon Dufresne 7aabd62380 Fixed #25778 -- Updated docs links to use https when available. 2015-12-01 08:01:34 -05:00
Agnieszka Lasyk 1f8dad6915 Fixed #25755 -- Unified spelling of "website". 2015-11-16 06:44:14 -05:00
David Sanders cc968b9c90 Added links to new security settings introduced in 1.8. 2015-09-04 12:55:32 -04:00
Claude Paroz e9c5c39631 Updated various links in docs 2015-08-08 13:57:15 +02:00
Claude Paroz 64982cc2fb Updated Wikipedia links to use https 2015-08-08 12:02:32 +02:00
Tim Graham 97fa7fe961 Fixed #25212 -- Documented the RawSQL expression. 2015-08-05 07:54:54 -04:00
Carl Meyer d16bc7f0e4 Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
Thanks "djbug" for the report.
2014-09-26 11:07:55 -06:00
Tim Graham 9432f1e750 Fixed some doc errors that caused syntax highlighting to fail. 2014-08-18 20:37:47 -04:00
Tim Graham f65eb15ac6 Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
2014-04-25 10:27:13 -04:00
Moayad Mardini 3776926cfe Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
2014-04-25 09:54:49 -04:00
Tim Graham 4965a77407 Removed PIL compatability layer per deprecation timeline.
refs #19934.
2014-03-21 10:54:53 -04:00
Tim Graham df6760f12c Added a warning regarding risks in serving user uploaded media.
Thanks Preston Holmes for the draft text.
2013-11-27 16:35:25 -05:00
Tim Graham a3372f67cb Added a warning regarding session security and subdomains. 2013-10-18 09:42:45 -04:00
Aymeric Augustin 1267d2d9bc Fixed #20330 -- Normalized spelling of "web server".
Thanks Baptiste Mispelon for the report.
2013-04-29 19:40:43 +02:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin ebd2598596 Removed django.contrib.markup. 2012-12-29 21:59:07 +01:00
Tim Graham b3a8c9dab8 Fixed broken links, round 3. refs #19516 2012-12-26 19:07:22 -05:00
Florian Apolloner 27560924ec Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
David Fischer 58786897a1
Formatting fix for host headers section 2012-09-06 16:10:08 -04:00
David Fischer c65100248d
Added CSRF with HTTPS/HSTS and forwarding note 2012-09-06 16:08:14 -04:00
David Fischer ba141e6906
Added note about Strict Transport Security (HSTS) 2012-09-06 15:13:31 -04:00
Luke Plant 0199bdc0b4 Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER. 2012-06-04 21:41:05 +01:00
Luke Plant 718f149bb2 Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00
Adrian Holovaty d3055b3382 Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:48:27 +00:00
Russell Keith-Magee 893cea211a Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel f0280f2e94 Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29 09:39:55 +00:00
Luke Plant 9896b0df73 Grammar fixes and content tweaks to XSS section of security docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17 14:17:26 +00:00
Luke Plant f5c9c2246e Improved warning about file uploads in docs, and added link from security overview page
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06 23:44:54 +00:00
Jannis Leidel 3ee076b135 Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14 10:34:52 +00:00
Luke Plant 528157ce73 Fixed #14201 - Add a "security overview" page to the docs
Thanks to davidfischer for the initial patch!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00