Fixed #25048 -- Documented that runservers strips headers with underscores.

refs 316b8d49746933d1845d600314b002d9b64d3e3d
author: Tim Graham <timograham@gmail.com> 2015-07-09 09:06:28 -0400
committer: Tim Graham <timograham@gmail.com> 2015-07-09 09:10:27 -0400
commit: 7b6d3104f263d9483982928604b2e51f06126ec1 (patch)
tree: 79a39faf8144267c13fcdd74a0d6e22016d3003c /docs/ref/request-response.txt
parent: 3d650e80ad47fdf3e7758766d2b00ed3c1efb089 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index fbc83bc379..86a9a02172 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -153,6 +153,12 @@ All attributes should be considered read-only, unless stated otherwise below.
     header called ``X-Bender`` would be mapped to the ``META`` key
     ``HTTP_X_BENDER``.
 
+    Note that :djadmin:`runserver` strips all headers with underscores in the
+    name, so you won't see them in ``META``. This prevents header-spoofing
+    based on ambiguity between underscores and dashes both being normalizing to
+    underscores in WSGI environment variables. It matches the behavior of
+    Web servers like Nginx and Apache 2.4+.
+
 .. attribute:: HttpRequest.user
 
     An object of type :setting:`AUTH_USER_MODEL` representing the currently
author	Tim Graham <timograham@gmail.com>	2015-07-09 09:06:28 -0400
committer	Tim Graham <timograham@gmail.com>	2015-07-09 09:10:27 -0400
commit	7b6d3104f263d9483982928604b2e51f06126ec1 (patch)
tree	79a39faf8144267c13fcdd74a0d6e22016d3003c /docs/ref/request-response.txt
parent	3d650e80ad47fdf3e7758766d2b00ed3c1efb089 (diff)