Re: [Django] #34855: Document CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER. (was: Documenting CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER could prevent misconfiguration when proxying HTTPs over HTTP)

Thu, 21 Sep 2023 01:26:13 -0700 

#34855: Document CSRF_TRUSTED_ORIGINS relation to SECURE_PROXY_SSL_HEADER.
-------------------------------------+-------------------------------------
     Reporter:  jeroenmuller         |                    Owner:  nobody
         Type:                       |                   Status:  closed
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  4.2
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:  CSRF                 |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

 * cc: Florian Apolloner (added)
 * status:  new => closed
 * resolution:   => wontfix
 * easy:  1 => 0


Comment:

 Replying to [ticket:34855 jeroenmuller]:
 > It might be useful to add a note or warning below
 https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-
 CSRF_TRUSTED_ORIGINS explaining that it should only be neccessary to
 configure this if you are actually making requests across subdomains, and
 in other cases setting up SECURE_PROXY_SSL_HEADER might be a more
 appropriate solution (as long as the proxy correctly sets a header like X
 -Forwarded-Proto).

 Using `SECURE_PROXY_SSL_HEADER` must be an informed decision as it may
 cause security issues. This is not something we would freely document as a
 default solution, especially, since it's only a solution for this
 particular setup where you have a trusted proxy that changes the protocol.
 I'm skeptical, we cannot document all setting configurations.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34855#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018ab6d8a92b-0a6af9f9-6ac9-4087-9489-50c042358b1c-000000%40eu-central-1.amazonses.com.

Reply via email to