diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2012-06-04 20:39:57 +0100 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2012-06-04 21:41:05 +0100 |
| commit | 840ffd80baad85c05670d6b642f654cffaa93cc3 (patch) | |
| tree | 39e3b948e5a6f365bb066ddf614ebdd38710b6f1 | |
| parent | 0199bdc0b411d4aba0173053417bbeea8224b26b (diff) | |
Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection.
Both false positives and false negatives of HttpRequest.is_secure can be
dangerous.
| -rw-r--r-- | docs/ref/settings.txt | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 398c90661b..a1b76f65e1 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1605,7 +1605,8 @@ method. This takes some explanation. By default, ``is_secure()`` is able to determine whether a request is secure by looking at whether the requested URL uses -"https://". +"https://". This is important for Django's CSRF protection, and may be used +by your own code or third-party apps. If your Django app is behind a proxy, though, the proxy may be "swallowing" the fact that a request is HTTPS, using a non-HTTPS connection between the proxy @@ -1635,7 +1636,7 @@ available in ``request.META``.) .. warning:: - **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.** + **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.** Make sure ALL of the following are true before setting this (assuming the values from the example above): |
