summaryrefslogtreecommitdiff
path: root/docs/topics/security.txt
AgeCommit message (Collapse)Author
2020-06-17Refs #31670 -- Removed whitelist/blacklist terminology in docs and comments.David Smith
2020-06-15Fixed #31696 -- Updated OWASP links in docs.Hasan Ramezani
2020-04-22Added link to Mozilla's infosec page on web security. Mads Jensen
2020-04-07Fixed highlightlang deprecation warning on Sphinx 1.8+.Mariusz Felisiak
2019-09-09Fixed #29406 -- Added support for Referrer-Policy header.Nick Pope
Thanks to James Bennett for the initial implementation.
2019-09-06Fixed #30573 -- Rephrased documentation to avoid words that minimise the ↵Tobias Kunze
involved difficulty. This patch does not remove all occurrences of the words in question. Rather, I went through all of the occurrences of the words listed below, and judged if they a) suggested the reader had some kind of knowledge/experience, and b) if they added anything of value (including tone of voice, etc). I left most of the words alone. I looked at the following words: - simply/simple - easy/easier/easiest - obvious - just - merely - straightforward - ridiculous Thanks to Carlton Gibson for guidance on how to approach this issue, and to Tim Bell for providing the idea. But the enormous lion's share of thanks go to Adam Johnson for his patient and helpful review.
2018-12-27Updated OWASP Top 10 link to the latest version.Vedran Karačić
2018-11-15Used auto-numbered lists in documentation.François Freitag
2017-11-01Described how querysets are protected from SQL injection in more detail.Tim Graham
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-04-09Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.Tim Graham
2016-04-04Removed a reference to Django 1.3.1 in docs.Tim Graham
2016-02-11Fixed #26206 -- Fixed docs comments causing empty code blocks.Tim Graham
2016-01-25Fixed Sphinx highlight warnings in docs.Tim Graham
2015-12-21Removed a misleading comment about HTTPS.Alex Gaynor
For all practical purposes, there are no common cases for which a website cannot be deployed with HTTPS.
2015-12-01Fixed #25778 -- Updated docs links to use https when available.Jon Dufresne
2015-11-16Fixed #25755 -- Unified spelling of "website".Agnieszka Lasyk
2015-09-04Added links to new security settings introduced in 1.8.David Sanders
2015-08-08Updated various links in docsClaude Paroz
2015-08-08Updated Wikipedia links to use httpsClaude Paroz
2015-08-05Fixed #25212 -- Documented the RawSQL expression.Tim Graham
2014-09-26Fixed #23561 -- Corrected a security doc example that requires an unquoted ↵Carl Meyer
HTML attribute. Thanks "djbug" for the report.
2014-08-18Fixed some doc errors that caused syntax highlighting to fail.Tim Graham
2014-04-25Fixed #22504 -- Corrected domain terminology in security guide.Tim Graham
Thanks chris at chrullrich.net.
2014-04-25Fixed #22493 - Added warnings to raw() and extra() docs about SQL injectionMoayad Mardini
Thanks Erik Romijn for the suggestion.
2014-03-21Removed PIL compatability layer per deprecation timeline.Tim Graham
refs #19934.
2013-11-27Added a warning regarding risks in serving user uploaded media.Tim Graham
Thanks Preston Holmes for the draft text.
2013-10-18Added a warning regarding session security and subdomains.Tim Graham
2013-04-29Fixed #20330 -- Normalized spelling of "web server".Aymeric Augustin
Thanks Baptiste Mispelon for the report.
2013-02-19Added a new required ALLOWED_HOSTS setting for HTTP host header validation.Carl Meyer
This is a security fix; disclosure and advisory coming shortly.
2012-12-29Removed django.contrib.markup.Aymeric Augustin
2012-12-26Fixed broken links, round 3. refs #19516Tim Graham
2012-12-10Fixed a security issue in get_host.Florian Apolloner
Full disclosure and new release forthcoming.
2012-09-06Formatting fix for host headers sectionDavid Fischer
2012-09-06Added CSRF with HTTPS/HSTS and forwarding noteDavid Fischer
2012-09-06Added note about Strict Transport Security (HSTS)David Fischer
2012-06-04Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.Luke Plant
2012-04-19Added more explicit warnings about unconfigured reStructured Text usage in docs.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17Quick edit of docs/topics/security.txt to catch some basic formatting ↵Adrian Holovaty
problems and reword an awkward section git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10Added protection against spoofing of X_FORWARDED_HOST headers. A security ↵Russell Keith-Magee
announcement will be made shortly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.Jannis Leidel
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17Grammar fixes and content tweaks to XSS section of security docs.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06Improved warning about file uploads in docs, and added link from security ↵Luke Plant
overview page git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.Jannis Leidel
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10Fixed #14201 - Add a "security overview" page to the docsLuke Plant
Thanks to davidfischer for the initial patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37