Mads Jensen
060d9d4229
Added link to Mozilla's infosec page on web security.
2020-04-22 16:26:15 +02:00
Mariusz Felisiak
678f958ef9
Fixed highlightlang deprecation warning on Sphinx 1.8+.
2020-04-07 09:48:52 +02:00
Nick Pope
406dba04e1
Fixed #29406 -- Added support for Referrer-Policy header.
...
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
Tobias Kunze
4a954cfd11
Fixed #30573 -- Rephrased documentation to avoid words that minimise the involved difficulty.
...
This patch does not remove all occurrences of the words in question.
Rather, I went through all of the occurrences of the words listed
below, and judged if they a) suggested the reader had some kind of
knowledge/experience, and b) if they added anything of value (including
tone of voice, etc). I left most of the words alone. I looked at the
following words:
- simply/simple
- easy/easier/easiest
- obvious
- just
- merely
- straightforward
- ridiculous
Thanks to Carlton Gibson for guidance on how to approach this issue, and
to Tim Bell for providing the idea. But the enormous lion's share of
thanks go to Adam Johnson for his patient and helpful review.
2019-09-06 13:27:46 +02:00
Vedran Karačić
293db9eb36
Updated OWASP Top 10 link to the latest version.
2018-12-27 09:23:40 -05:00
François Freitag
9b15ff08ba
Used auto-numbered lists in documentation.
2018-11-15 13:54:28 -05:00
Tim Graham
6e8508734b
Described how querysets are protected from SQL injection in more detail.
2017-11-01 11:34:17 -04:00
Ed Morley
3c2447dd13
Fixed #26947 -- Added an option to enable the HSTS header preload directive.
2016-08-10 20:23:54 -04:00
Shai Berger
5112e65ef2
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
...
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Tim Graham
f6ca63a9f8
Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.
2016-04-09 07:49:40 -04:00
Tim Graham
15a20dc9af
Removed a reference to Django 1.3.1 in docs.
2016-04-04 11:55:34 -04:00
Tim Graham
f2b45ddd99
Fixed #26206 -- Fixed docs comments causing empty code blocks.
2016-02-11 07:58:15 -05:00
Tim Graham
9c43d8252a
Fixed Sphinx highlight warnings in docs.
2016-01-25 11:57:14 -05:00
Alex Gaynor
d7580e286a
Removed a misleading comment about HTTPS.
...
For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS.
2015-12-21 06:47:11 -05:00
Jon Dufresne
7aabd62380
Fixed #25778 -- Updated docs links to use https when available.
2015-12-01 08:01:34 -05:00
Agnieszka Lasyk
1f8dad6915
Fixed #25755 -- Unified spelling of "website".
2015-11-16 06:44:14 -05:00
David Sanders
cc968b9c90
Added links to new security settings introduced in 1.8.
2015-09-04 12:55:32 -04:00
Claude Paroz
e9c5c39631
Updated various links in docs
2015-08-08 13:57:15 +02:00
Claude Paroz
64982cc2fb
Updated Wikipedia links to use https
2015-08-08 12:02:32 +02:00
Tim Graham
97fa7fe961
Fixed #25212 -- Documented the RawSQL expression.
2015-08-05 07:54:54 -04:00
Carl Meyer
d16bc7f0e4
Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
...
Thanks "djbug" for the report.
2014-09-26 11:07:55 -06:00
Tim Graham
9432f1e750
Fixed some doc errors that caused syntax highlighting to fail.
2014-08-18 20:37:47 -04:00
Tim Graham
f65eb15ac6
Fixed #22504 -- Corrected domain terminology in security guide.
...
Thanks chris at chrullrich.net.
2014-04-25 10:27:13 -04:00
Moayad Mardini
3776926cfe
Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
...
Thanks Erik Romijn for the suggestion.
2014-04-25 09:54:49 -04:00
Tim Graham
4965a77407
Removed PIL compatability layer per deprecation timeline.
...
refs #19934 .
2014-03-21 10:54:53 -04:00
Tim Graham
df6760f12c
Added a warning regarding risks in serving user uploaded media.
...
Thanks Preston Holmes for the draft text.
2013-11-27 16:35:25 -05:00
Tim Graham
a3372f67cb
Added a warning regarding session security and subdomains.
2013-10-18 09:42:45 -04:00
Aymeric Augustin
1267d2d9bc
Fixed #20330 -- Normalized spelling of "web server".
...
Thanks Baptiste Mispelon for the report.
2013-04-29 19:40:43 +02:00
Carl Meyer
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin
ebd2598596
Removed django.contrib.markup.
2012-12-29 21:59:07 +01:00
Tim Graham
b3a8c9dab8
Fixed broken links, round 3. refs #19516
2012-12-26 19:07:22 -05:00
Florian Apolloner
27560924ec
Fixed a security issue in get_host.
...
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
David Fischer
58786897a1
Formatting fix for host headers section
2012-09-06 16:10:08 -04:00
David Fischer
c65100248d
Added CSRF with HTTPS/HSTS and forwarding note
2012-09-06 16:08:14 -04:00
David Fischer
ba141e6906
Added note about Strict Transport Security (HSTS)
2012-09-06 15:13:31 -04:00
Luke Plant
0199bdc0b4
Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.
2012-06-04 21:41:05 +01:00
Luke Plant
718f149bb2
Added more explicit warnings about unconfigured reStructured Text usage in docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00
Adrian Holovaty
d3055b3382
Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:48:27 +00:00
Russell Keith-Magee
893cea211a
Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel
f0280f2e94
Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29 09:39:55 +00:00
Luke Plant
9896b0df73
Grammar fixes and content tweaks to XSS section of security docs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17 14:17:26 +00:00
Luke Plant
f5c9c2246e
Improved warning about file uploads in docs, and added link from security overview page
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06 23:44:54 +00:00
Jannis Leidel
3ee076b135
Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14 10:34:52 +00:00
Luke Plant
528157ce73
Fixed #14201 - Add a "security overview" page to the docs
...
Thanks to davidfischer for the initial patch!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00