Fixed #36862 -- Doc'd the need for a proxy when deploying RemoteUserMiddleware under ASGI.

We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-31 15:43:18 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-02 09:19:07 -0400
commit: 2ee757ee502d5663f932dc5c35175c39af4640ce (patch)
tree: d540419df5cd17f7ccb22b84213cc64682758970 /docs/howto/auth-remote-user.txt
parent: a32c7075cf634aee1f4f3deecd27f194097ec0c2 (diff)
1 files changed, 18 insertions, 11 deletions
diff --git a/docs/howto/auth-remote-user.txt b/docs/howto/auth-remote-user.txt
index 533f460e4a..fe48bb3dc8 100644
--- a/docs/howto/auth-remote-user.txt
+++ b/docs/howto/auth-remote-user.txt
@@ -99,19 +99,26 @@ instead of :class:`django.contrib.auth.middleware.RemoteUserMiddleware`::
 
 .. warning::
 
-    Be very careful if using a ``RemoteUserMiddleware`` subclass with a custom
-    HTTP header. You must be sure that your front-end web server always sets or
-    strips that header based on the appropriate authentication checks, never
-    permitting an end-user to submit a fake (or "spoofed") header value. Since
-    the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) both
-    normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you must
-    also check that your web server doesn't allow a spoofed header using
+    ``RemoteUserMiddleware`` must not be deployed in configurations where a
+    client can supply the header. You must be sure that your web server or
+    reverse proxy always sets or strips that header based on the appropriate
+    authentication checks, never permitting an end user to submit a fake (or
+    "spoofed") header value. In particular, ASGI deployments cannot be exposed
+    directly to the internet (that is, without a reverse proxy) when using this
+    middleware.
+
+    Since the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example)
+    both normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you
+    must also check that your web server doesn't allow a spoofed header using
     underscores in place of dashes.
 
-    This warning doesn't apply to ``RemoteUserMiddleware`` in its default
-    configuration with ``header = 'REMOTE_USER'``, since a key that doesn't
-    start with ``HTTP_`` in ``request.META`` can only be set by your WSGI
-    or ASGI server, not directly from an HTTP request header.
+    Under WSGI, this warning doesn't apply to ``RemoteUserMiddleware`` in its
+    default configuration with ``header = "REMOTE_USER"``, since a key that
+    doesn't start with ``HTTP_`` in ``request.META`` can only be set by your
+    WSGI server, not directly from an HTTP request header. This warning *does*
+    apply by default on ASGI, because in the async path, the middleware
+    prepends ``HTTP_`` to the defined header name before looking it up in
+    ``request.META``.
 
 If you need more control, you can create your own authentication backend
 that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-31 15:43:18 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-02 09:19:07 -0400
commit	2ee757ee502d5663f932dc5c35175c39af4640ce (patch)
tree	d540419df5cd17f7ccb22b84213cc64682758970 /docs/howto/auth-remote-user.txt
parent	a32c7075cf634aee1f4f3deecd27f194097ec0c2 (diff)