Re: [Django] #14597: request.is_secure() should support headers like: X-Forwarded-Protocol and X-Forwarded-Ssl

Mon, 24 Oct 2011 15:09:45 -0700 

#14597: request.is_secure() should support headers like: X-Forwarded-Protocol 
and X
-Forwarded-Ssl
-------------------------------+------------------------------------
     Reporter:  gnotaras       |                    Owner:  nobody
         Type:  New feature    |                   Status:  reopened
    Component:  HTTP handling  |                  Version:  1.2
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------
Changes (by carljm):

 * status:  closed => reopened
 * resolution:  wontfix =>
 * type:  Uncategorized => New feature
 * stage:  Unreviewed => Accepted


Comment:

 Based on the discussion on the above thread, I'm reopening and accepting
 this ticket.

 The implementation should do nothing by default, but should allow the user
 (probably via setting) to configure a header+value pair that Django will
 interpret as "yes, this request is secure". The documentation for this
 feature should be very clear that the proxy server MUST unconditionally
 set or strip this header, otherwise you are introducing a security hole by
 using it. Ideally we might also give some examples of how to correctly
 configure common proxy servers (nginx, Apache/mod_proxy).

 There is an existing implementation of this in
 [http://pypi.python.org/pypi/django-secure django-secure]; there are
 probably others as well.

 I think I've seen one other implementation (don't recall where) that
 allowed the user to set multiple header+value pairs. I think this is a bad
 idea, as it encourages overly-broad use of this feature. The correct way
 to use it is to set it per-deployment to the specific header that you know
 is set+validated by the proxy server in that particular deployment, not to
 pre-emptively set it to a range of possible headers that some proxy
 servers might use.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/14597#comment:16>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to