diff options
Diffstat (limited to 'docs/internals/security.txt')
| -rw-r--r-- | docs/internals/security.txt | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 300e0b9e6e..32705584a4 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -131,6 +131,12 @@ not been sanitized:: q = MyModel.objects.extra(select={"id": query}) return HttpResponse(q.values()) +Some HTTP headers must also be sanitized by a web server or fronting proxy +before they can be used, such as ``Remote-User`` and ``X-Forwarded-*``. For +instance, under ASGI, it is a deployment misconfiguration (rather than any flaw +in Django) for Django to be the direct HTTP endpoint when +:class:`~django.contrib.auth.middleware.RemoteUserMiddleware` is used. + Request headers and URLs must be under 8K bytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |