#36862: Clarify RemoteUserMiddleware usage and deployment requirements under
ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
RemoteUserMiddleware asgi | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto
/auth-remote-user/ docs] explains the trust model assuming a front-end web
server that **securely** sets `REMOTE_USER` env var, but it does not
clearly address ASGI deployments where Django may be the direct HTTP
endpoint ( uvicorn, daphne examples). This can lead readers to assume that
enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is
safe.
The docs should explicitly state that `RemoteUserMiddleware` assumes a
trusted upstream that sets or strips the relevant header, and that running
ASGI servers directly on the Internet without such a proxy will allow
clients to inject identity headers. This is a documentation clarification
only and does not change behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019bb891dc26-cbb225fa-9546-4e64-8047-e2d1077a0cb4-000000%40eu-central-1.amazonses.com.
