diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2012-06-04 20:31:23 +0100 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2012-06-04 21:46:37 +0100 |
| commit | 3bd937aec2fa26fd7e9d9c3269aca5e663d14aa7 (patch) | |
| tree | 5af90b870390e0a03980264cd78dd8324782a23a | |
| parent | 03f1d69f1e4313c34f965f5a3ef922a5084aa619 (diff) | |
[1.4.x] Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.
Backport of 0199bdc0b from master
| -rw-r--r-- | docs/topics/security.txt | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 4b393cd1b8..914b63fd40 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -114,22 +114,19 @@ transferred between client and server, and in some cases -- **active** network attackers -- to alter data that is sent in either direction. If you want the protection that HTTPS provides, and have enabled it on your -server, there are some additional steps to consider to ensure that sensitive -information is not leaked: +server, there are some additional steps you may need: -* Set up redirection so that requests over HTTP are redirected to HTTPS. +* If necessary, set :setting:`SECURE_PROXY_SSL_HEADER`, ensuring that you have + understood the warnings there thoroughly. Failure to do this can result + in CSRF vulnerabilities, and failure to do it correctly can also be + dangerous! - It is possible to do this with a piece of Django middleware. However, this has - problems for the common case of a Django app running behind a reverse - proxy. Often, reverse proxies are configured to set the ``X-Forwarded-SSL`` - header (or equivalent) if the incoming connection was HTTPS, and the absence - of this header could be used to detect a request that was not HTTPS. However, - this method usually cannot be relied on, as a client, or a malicious active - network attacker, could also set this header. +* Set up redirection so that requests over HTTP are redirected to HTTPS. - So, for the case of a reverse proxy, it is recommended that the main Web - server should be configured to do the redirect to HTTPS, or configured to send - HTTP requests to an app that unconditionally redirects to HTTPS. + This could be done using a custom middleware. Please note the caveats under + :setting:`SECURE_PROXY_SSL_HEADER`. For the case of a reverse proxy, it may be + easier or more secure to configure the main Web server to do the redirect to + HTTPS. * Use 'secure' cookies. |