summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2012-06-04 20:39:57 +0100
committerLuke Plant <L.Plant.98@cantab.net>2012-06-04 21:41:05 +0100
commit840ffd80baad85c05670d6b642f654cffaa93cc3 (patch)
tree39e3b948e5a6f365bb066ddf614ebdd38710b6f1 /docs
parent0199bdc0b411d4aba0173053417bbeea8224b26b (diff)
Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection.
Both false positives and false negatives of HttpRequest.is_secure can be dangerous.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/settings.txt5
1 files changed, 3 insertions, 2 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 398c90661b..a1b76f65e1 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1605,7 +1605,8 @@ method.
This takes some explanation. By default, ``is_secure()`` is able to determine
whether a request is secure by looking at whether the requested URL uses
-"https://".
+"https://". This is important for Django's CSRF protection, and may be used
+by your own code or third-party apps.
If your Django app is behind a proxy, though, the proxy may be "swallowing" the
fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@@ -1635,7 +1636,7 @@ available in ``request.META``.)
.. warning::
- **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.**
+ **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
Make sure ALL of the following are true before setting this (assuming the
values from the example above):