diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-03-31 15:43:18 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-02 09:19:07 -0400 |
| commit | 2ee757ee502d5663f932dc5c35175c39af4640ce (patch) | |
| tree | d540419df5cd17f7ccb22b84213cc64682758970 /docs/howto | |
| parent | a32c7075cf634aee1f4f3deecd27f194097ec0c2 (diff) | |
Fixed #36862 -- Doc'd the need for a proxy when deploying RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
Diffstat (limited to 'docs/howto')
| -rw-r--r-- | docs/howto/auth-remote-user.txt | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/docs/howto/auth-remote-user.txt b/docs/howto/auth-remote-user.txt index 533f460e4a..fe48bb3dc8 100644 --- a/docs/howto/auth-remote-user.txt +++ b/docs/howto/auth-remote-user.txt @@ -99,19 +99,26 @@ instead of :class:`django.contrib.auth.middleware.RemoteUserMiddleware`:: .. warning:: - Be very careful if using a ``RemoteUserMiddleware`` subclass with a custom - HTTP header. You must be sure that your front-end web server always sets or - strips that header based on the appropriate authentication checks, never - permitting an end-user to submit a fake (or "spoofed") header value. Since - the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) both - normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you must - also check that your web server doesn't allow a spoofed header using + ``RemoteUserMiddleware`` must not be deployed in configurations where a + client can supply the header. You must be sure that your web server or + reverse proxy always sets or strips that header based on the appropriate + authentication checks, never permitting an end user to submit a fake (or + "spoofed") header value. In particular, ASGI deployments cannot be exposed + directly to the internet (that is, without a reverse proxy) when using this + middleware. + + Since the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) + both normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you + must also check that your web server doesn't allow a spoofed header using underscores in place of dashes. - This warning doesn't apply to ``RemoteUserMiddleware`` in its default - configuration with ``header = 'REMOTE_USER'``, since a key that doesn't - start with ``HTTP_`` in ``request.META`` can only be set by your WSGI - or ASGI server, not directly from an HTTP request header. + Under WSGI, this warning doesn't apply to ``RemoteUserMiddleware`` in its + default configuration with ``header = "REMOTE_USER"``, since a key that + doesn't start with ``HTTP_`` in ``request.META`` can only be set by your + WSGI server, not directly from an HTTP request header. This warning *does* + apply by default on ASGI, because in the async path, the middleware + prepends ``HTTP_`` to the defined header name before looking it up in + ``request.META``. If you need more control, you can create your own authentication backend that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and |