Commit 0a8a6b92 authored by Luke Plant's avatar Luke Plant
Browse files

[1.4.x] Noted that SECURE_PROXY_SSL_HEADER is needed by CSRF protection. 

Both false positives and false negatives of HttpRequest.is_secure can be
dangerous.

Backport of 840ffd80 from master
parent 3bd937ae

docs/ref/settings.txt

+3 −2
Original line number Diff line number Diff line
@@ -1605,7 +1605,8 @@ method. 


This takes some explanation. By default, ``is_secure()`` is able to determine

whether a request is secure by looking at whether the requested URL uses

"https://".

"https://". This is important for Django's CSRF protection, and may be used

by your own code or third-party apps.



If your Django app is behind a proxy, though, the proxy may be "swallowing" the

fact that a request is HTTPS, using a non-HTTPS connection between the proxy
@@ -1635,7 +1636,7 @@ available in ``request.META``.) 


.. warning::



    **You will probably open security holes in your site if you set this without knowing what you're doing. Seriously.**

    **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.**



    Make sure ALL of the following are true before setting this (assuming the

    values from the example above):