#14597: request.is_secure() should support headers like: X-Forwarded-Protocol and X -Forwarded-Ssl -------------------------------+------------------------------------ Reporter: gnotaras | Owner: nobody Type: New feature | Status: reopened Component: HTTP handling | Version: 1.2 Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+------------------------------------ Changes (by carljm):
* status: closed => reopened * resolution: wontfix => * type: Uncategorized => New feature * stage: Unreviewed => Accepted Comment: Based on the discussion on the above thread, I'm reopening and accepting this ticket. The implementation should do nothing by default, but should allow the user (probably via setting) to configure a header+value pair that Django will interpret as "yes, this request is secure". The documentation for this feature should be very clear that the proxy server MUST unconditionally set or strip this header, otherwise you are introducing a security hole by using it. Ideally we might also give some examples of how to correctly configure common proxy servers (nginx, Apache/mod_proxy). There is an existing implementation of this in [http://pypi.python.org/pypi/django-secure django-secure]; there are probably others as well. I think I've seen one other implementation (don't recall where) that allowed the user to set multiple header+value pairs. I think this is a bad idea, as it encourages overly-broad use of this feature. The correct way to use it is to set it per-deployment to the specific header that you know is set+validated by the proxy server in that particular deployment, not to pre-emptively set it to a range of possible headers that some proxy servers might use. -- Ticket URL: <https://code.djangoproject.com/ticket/14597#comment:16> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.