#14597: request.is_secure() should support headers like: X-Forwarded-Protocol
and X
-Forwarded-Ssl
------------------------------------+---------------------------------------
Reporter: gnotaras | Owner: nobody
Status: closed | Milestone:
Component: HTTP handling | Version: 1.2
Resolution: wontfix | Keywords:
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
------------------------------------+---------------------------------------
Comment (by lukeplant):
Your latest proposal addresses some of the concerns about security, but as
soon as you include it in Django, you will find hosts like !WebFaction
(where the customer is not in charge of those HTTPS headers) saying things
like "put these settings in your settings.py to make it work" - and the
developers will never read all the big fat disclaimers about those
settings. I'm not saying that !WebFaction are stupid or anything like
that, it is just human nature to find the quickest solution to a problem.
I still think that the solution is to put the burden of this logic and its
security implications onto the developers — just like we solved
`SetRemoteAddrFromForwardedFor` by removing it, not by making
customizable.
--
Ticket URL: <http://code.djangoproject.com/ticket/14597#comment:6>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
