summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2012-11-06 05:16:01 -0500
committerTim Graham <timograham@gmail.com>2012-11-06 05:18:12 -0500
commit79209dfdc51e74f8fdf7d7b5b32ffe97794368d8 (patch)
treeced2bf953029fc533e4ac2c6bb2c295a515bb804 /docs
parent93e0ec553dae73a2a86cb23b058414d8f9ae3bd6 (diff)
[1.5.X] Fixed #19246 - Updated SECURE_PROXY_SSL_HEADER example to use 'X-Forwarded-Proto'
Thanks Fred Palmer for the report. Backport of 2cc1884383 from master
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/settings.txt12
1 files changed, 7 insertions, 5 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index e8b41afb39..5544c99dd1 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1560,9 +1560,9 @@ for.
You'll need to set a tuple with two elements -- the name of the header to look
for and the required value. For example::
- SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
-Here, we're telling Django that we trust the ``X-Forwarded-Protocol`` header
+Here, we're telling Django that we trust the ``X-Forwarded-Proto`` header
that comes from our proxy, and any time its value is ``'https'``, then the
request is guaranteed to be secure (i.e., it originally came in via HTTPS).
Obviously, you should *only* set this setting if you control your proxy or
@@ -1575,16 +1575,18 @@ available in ``request.META``.)
.. warning::
- **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
+ **You will probably open security holes in your site if you set this
+ without knowing what you're doing. And if you fail to set it when you
+ should. Seriously.**
Make sure ALL of the following are true before setting this (assuming the
values from the example above):
* Your Django app is behind a proxy.
- * Your proxy strips the 'X-Forwarded-Protocol' header from all incoming
+ * Your proxy strips the ``X-Forwarded-Proto`` header from all incoming
requests. In other words, if end users include that header in their
requests, the proxy will discard it.
- * Your proxy sets the 'X-Forwarded-Protocol' header and sends it to Django,
+ * Your proxy sets the ``X-Forwarded-Proto`` header and sends it to Django,
but only for requests that originally come in via HTTPS.
If any of those are not true, you should keep this setting set to ``None``