| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-11-01 | Described how querysets are protected from SQL injection in more detail. | Tim Graham | |
| 2016-08-10 | Fixed #26947 -- Added an option to enable the HSTS header preload directive. | Ed Morley | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-04-09 | Refs #26464 -- Added a link to OWASP Top 10 in security topic guide. | Tim Graham | |
| 2016-04-04 | Removed a reference to Django 1.3.1 in docs. | Tim Graham | |
| 2016-02-11 | Fixed #26206 -- Fixed docs comments causing empty code blocks. | Tim Graham | |
| 2016-01-25 | Fixed Sphinx highlight warnings in docs. | Tim Graham | |
| 2015-12-21 | Removed a misleading comment about HTTPS. | Alex Gaynor | |
| For all practical purposes, there are no common cases for which a website cannot be deployed with HTTPS. | |||
| 2015-12-01 | Fixed #25778 -- Updated docs links to use https when available. | Jon Dufresne | |
| 2015-11-16 | Fixed #25755 -- Unified spelling of "website". | Agnieszka Lasyk | |
| 2015-09-04 | Added links to new security settings introduced in 1.8. | David Sanders | |
| 2015-08-08 | Updated various links in docs | Claude Paroz | |
| 2015-08-08 | Updated Wikipedia links to use https | Claude Paroz | |
| 2015-08-05 | Fixed #25212 -- Documented the RawSQL expression. | Tim Graham | |
| 2014-09-26 | Fixed #23561 -- Corrected a security doc example that requires an unquoted ↵ | Carl Meyer | |
| HTML attribute. Thanks "djbug" for the report. | |||
| 2014-08-18 | Fixed some doc errors that caused syntax highlighting to fail. | Tim Graham | |
| 2014-04-25 | Fixed #22504 -- Corrected domain terminology in security guide. | Tim Graham | |
| Thanks chris at chrullrich.net. | |||
| 2014-04-25 | Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection | Moayad Mardini | |
| Thanks Erik Romijn for the suggestion. | |||
| 2014-03-21 | Removed PIL compatability layer per deprecation timeline. | Tim Graham | |
| refs #19934. | |||
| 2013-11-27 | Added a warning regarding risks in serving user uploaded media. | Tim Graham | |
| Thanks Preston Holmes for the draft text. | |||
| 2013-10-18 | Added a warning regarding session security and subdomains. | Tim Graham | |
| 2013-04-29 | Fixed #20330 -- Normalized spelling of "web server". | Aymeric Augustin | |
| Thanks Baptiste Mispelon for the report. | |||
| 2013-02-19 | Added a new required ALLOWED_HOSTS setting for HTTP host header validation. | Carl Meyer | |
| This is a security fix; disclosure and advisory coming shortly. | |||
| 2012-12-29 | Removed django.contrib.markup. | Aymeric Augustin | |
| 2012-12-26 | Fixed broken links, round 3. refs #19516 | Tim Graham | |
| 2012-12-10 | Fixed a security issue in get_host. | Florian Apolloner | |
| Full disclosure and new release forthcoming. | |||
| 2012-09-06 | Formatting fix for host headers section | David Fischer | |
| 2012-09-06 | Added CSRF with HTTPS/HSTS and forwarding note | David Fischer | |
| 2012-09-06 | Added note about Strict Transport Security (HSTS) | David Fischer | |
| 2012-06-04 | Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER. | Luke Plant | |
| 2012-04-19 | Added more explicit warnings about unconfigured reStructured Text usage in docs. | Luke Plant | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-12-17 | Quick edit of docs/topics/security.txt to catch some basic formatting ↵ | Adrian Holovaty | |
| problems and reword an awkward section git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-09-10 | Added protection against spoofing of X_FORWARDED_HOST headers. A security ↵ | Russell Keith-Magee | |
| announcement will be made shortly. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-07-29 | Fixes #16482 -- Fixes typo in security docs. Thanks, charettes. | Jannis Leidel | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-07-17 | Grammar fixes and content tweaks to XSS section of security docs. | Luke Plant | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-07-06 | Improved warning about file uploads in docs, and added link from security ↵ | Luke Plant | |
| overview page git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-06-14 | Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste. | Jannis Leidel | |
| git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
| 2011-06-10 | Fixed #14201 - Add a "security overview" page to the docs | Luke Plant | |
| Thanks to davidfischer for the initial patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37 | |||
 |
index : django.git | |
| django |
| summaryrefslogtreecommitdiff |