diff options
Diffstat (limited to 'docs/releases/1.4.4.txt')
| -rw-r--r-- | docs/releases/1.4.4.txt | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/docs/releases/1.4.4.txt b/docs/releases/1.4.4.txt index 979d1144f3..8e6b5b287e 100644 --- a/docs/releases/1.4.4.txt +++ b/docs/releases/1.4.4.txt @@ -17,10 +17,10 @@ Host header poisoning Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host header. Django's documentation has for some time contained notes advising users -on how to configure Web servers to ensure that only valid Host headers can reach +on how to configure web servers to ensure that only valid Host headers can reach the Django application. However, it has been reported to us that even with the -recommended Web server configurations there are still techniques available for -tricking many common Web servers into supplying the application with an +recommended web server configurations there are still techniques available for +tricking many common web servers into supplying the application with an incorrect and possibly malicious Host header. For this reason, Django 1.4.4 adds a new setting, ``ALLOWED_HOSTS``, containing |