[1.4.x] Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection.

Both false positives and false negatives of HttpRequest.is_secure can be dangerous. Backport of 840ffd80ba from master
author: Luke Plant <L.Plant.98@cantab.net> 2012-06-04 20:39:57 +0100
committer: Luke Plant <L.Plant.98@cantab.net> 2012-06-04 21:49:42 +0100
commit: 0a8a6b92b28fad50924a84cf2b4e1d7c5e501a1f (patch)
tree: db3396b12285ef345a466827593c0e3fa0d7bdff
parent: 3bd937aec2fa26fd7e9d9c3269aca5e663d14aa7 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 1dabdaeb10..ced944a958 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1605,7 +1605,8 @@ method.
 
 This takes some explanation. By default, ``is_secure()`` is able to determine
 whether a request is secure by looking at whether the requested URL uses
-"https://".
+"https://". This is important for Django's CSRF protection, and may be used
+by your own code or third-party apps.
 
 If your Django app is behind a proxy, though, the proxy may be "swallowing" the
 fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@@ -1635,7 +1636,7 @@ available in ``request.META``.)
 
 .. warning::
 
-    **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.**
+    **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**
 
     Make sure ALL of the following are true before setting this (assuming the
     values from the example above):
author	Luke Plant <L.Plant.98@cantab.net>	2012-06-04 20:39:57 +0100
committer	Luke Plant <L.Plant.98@cantab.net>	2012-06-04 21:49:42 +0100
commit	0a8a6b92b28fad50924a84cf2b4e1d7c5e501a1f (patch)
tree	db3396b12285ef345a466827593c0e3fa0d7bdff
parent	3bd937aec2fa26fd7e9d9c3269aca5e663d14aa7 (diff)