mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Fixed #19246 - Updated SECURE_PROXY_SSL_HEADER example to use 'X-Forwarded-Proto'
Thanks Fred Palmer for the report.
This commit is contained in:
		| @@ -1560,9 +1560,9 @@ for. | |||||||
| You'll need to set a tuple with two elements -- the name of the header to look | You'll need to set a tuple with two elements -- the name of the header to look | ||||||
| for and the required value. For example:: | for and the required value. For example:: | ||||||
|  |  | ||||||
|     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') |     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') | ||||||
|  |  | ||||||
| Here, we're telling Django that we trust the ``X-Forwarded-Protocol`` header | Here, we're telling Django that we trust the ``X-Forwarded-Proto`` header | ||||||
| that comes from our proxy, and any time its value is ``'https'``, then the | that comes from our proxy, and any time its value is ``'https'``, then the | ||||||
| request is guaranteed to be secure (i.e., it originally came in via HTTPS). | request is guaranteed to be secure (i.e., it originally came in via HTTPS). | ||||||
| Obviously, you should *only* set this setting if you control your proxy or | Obviously, you should *only* set this setting if you control your proxy or | ||||||
| @@ -1575,16 +1575,18 @@ available in ``request.META``.) | |||||||
|  |  | ||||||
| .. warning:: | .. warning:: | ||||||
|  |  | ||||||
|     **You will probably open security holes in your site if you set this without knowing what you're doing. And if you fail to set it when you should. Seriously.** |     **You will probably open security holes in your site if you set this | ||||||
|  |     without knowing what you're doing. And if you fail to set it when you | ||||||
|  |     should. Seriously.** | ||||||
|  |  | ||||||
|     Make sure ALL of the following are true before setting this (assuming the |     Make sure ALL of the following are true before setting this (assuming the | ||||||
|     values from the example above): |     values from the example above): | ||||||
|  |  | ||||||
|     * Your Django app is behind a proxy. |     * Your Django app is behind a proxy. | ||||||
|     * Your proxy strips the 'X-Forwarded-Protocol' header from all incoming |     * Your proxy strips the ``X-Forwarded-Proto`` header from all incoming | ||||||
|       requests. In other words, if end users include that header in their |       requests. In other words, if end users include that header in their | ||||||
|       requests, the proxy will discard it. |       requests, the proxy will discard it. | ||||||
|     * Your proxy sets the 'X-Forwarded-Protocol' header and sends it to Django, |     * Your proxy sets the ``X-Forwarded-Proto`` header and sends it to Django, | ||||||
|       but only for requests that originally come in via HTTPS. |       but only for requests that originally come in via HTTPS. | ||||||
|  |  | ||||||
|     If any of those are not true, you should keep this setting set to ``None`` |     If any of those are not true, you should keep this setting set to ``None`` | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user