0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00
Commit Graph

42 Commits

Author SHA1 Message Date
Nick Pope
406dba04e1 Fixed #29406 -- Added support for Referrer-Policy header.
Thanks to James Bennett for the initial implementation.
2019-09-09 13:35:41 +02:00
Tobias Kunze
4a954cfd11 Fixed #30573 -- Rephrased documentation to avoid words that minimise the involved difficulty.
This patch does not remove all occurrences of the words in question.
Rather, I went through all of the occurrences of the words listed
below, and judged if they a) suggested the reader had some kind of
knowledge/experience, and b) if they added anything of value (including
tone of voice, etc). I left most of the words alone. I looked at the
following words:

- simply/simple
- easy/easier/easiest
- obvious
- just
- merely
- straightforward
- ridiculous

Thanks to Carlton Gibson for guidance on how to approach this issue, and
to Tim Bell for providing the idea. But the enormous lion's share of
thanks go to Adam Johnson for his patient and helpful review.
2019-09-06 13:27:46 +02:00
Vedran Karačić
293db9eb36 Updated OWASP Top 10 link to the latest version. 2018-12-27 09:23:40 -05:00
François Freitag
9b15ff08ba Used auto-numbered lists in documentation. 2018-11-15 13:54:28 -05:00
Tim Graham
6e8508734b Described how querysets are protected from SQL injection in more detail. 2017-11-01 11:34:17 -04:00
Ed Morley
3c2447dd13 Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-08-10 20:23:54 -04:00
Shai Berger
5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Tim Graham
f6ca63a9f8 Refs #26464 -- Added a link to OWASP Top 10 in security topic guide. 2016-04-09 07:49:40 -04:00
Tim Graham
15a20dc9af Removed a reference to Django 1.3.1 in docs. 2016-04-04 11:55:34 -04:00
Tim Graham
f2b45ddd99 Fixed #26206 -- Fixed docs comments causing empty code blocks. 2016-02-11 07:58:15 -05:00
Tim Graham
9c43d8252a Fixed Sphinx highlight warnings in docs. 2016-01-25 11:57:14 -05:00
Alex Gaynor
d7580e286a Removed a misleading comment about HTTPS.
For all practical purposes, there are no common cases for which a
website cannot be deployed with HTTPS.
2015-12-21 06:47:11 -05:00
Jon Dufresne
7aabd62380 Fixed #25778 -- Updated docs links to use https when available. 2015-12-01 08:01:34 -05:00
Agnieszka Lasyk
1f8dad6915 Fixed #25755 -- Unified spelling of "website". 2015-11-16 06:44:14 -05:00
David Sanders
cc968b9c90 Added links to new security settings introduced in 1.8. 2015-09-04 12:55:32 -04:00
Claude Paroz
e9c5c39631 Updated various links in docs 2015-08-08 13:57:15 +02:00
Claude Paroz
64982cc2fb Updated Wikipedia links to use https 2015-08-08 12:02:32 +02:00
Tim Graham
97fa7fe961 Fixed #25212 -- Documented the RawSQL expression. 2015-08-05 07:54:54 -04:00
Carl Meyer
d16bc7f0e4 Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
Thanks "djbug" for the report.
2014-09-26 11:07:55 -06:00
Tim Graham
9432f1e750 Fixed some doc errors that caused syntax highlighting to fail. 2014-08-18 20:37:47 -04:00
Tim Graham
f65eb15ac6 Fixed #22504 -- Corrected domain terminology in security guide.
Thanks chris at chrullrich.net.
2014-04-25 10:27:13 -04:00
Moayad Mardini
3776926cfe Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
2014-04-25 09:54:49 -04:00
Tim Graham
4965a77407 Removed PIL compatability layer per deprecation timeline.
refs #19934.
2014-03-21 10:54:53 -04:00
Tim Graham
df6760f12c Added a warning regarding risks in serving user uploaded media.
Thanks Preston Holmes for the draft text.
2013-11-27 16:35:25 -05:00
Tim Graham
a3372f67cb Added a warning regarding session security and subdomains. 2013-10-18 09:42:45 -04:00
Aymeric Augustin
1267d2d9bc Fixed #20330 -- Normalized spelling of "web server".
Thanks Baptiste Mispelon for the report.
2013-04-29 19:40:43 +02:00
Carl Meyer
d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Aymeric Augustin
ebd2598596 Removed django.contrib.markup. 2012-12-29 21:59:07 +01:00
Tim Graham
b3a8c9dab8 Fixed broken links, round 3. refs #19516 2012-12-26 19:07:22 -05:00
Florian Apolloner
27560924ec Fixed a security issue in get_host.
Full disclosure and new release forthcoming.
2012-12-10 22:11:40 +01:00
David Fischer
58786897a1
Formatting fix for host headers section 2012-09-06 16:10:08 -04:00
David Fischer
c65100248d
Added CSRF with HTTPS/HSTS and forwarding note 2012-09-06 16:08:14 -04:00
David Fischer
ba141e6906
Added note about Strict Transport Security (HSTS) 2012-09-06 15:13:31 -04:00
Luke Plant
0199bdc0b4 Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER. 2012-06-04 21:41:05 +01:00
Luke Plant
718f149bb2 Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00
Adrian Holovaty
d3055b3382 Quick edit of docs/topics/security.txt to catch some basic formatting problems and reword an awkward section
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17222 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-17 02:48:27 +00:00
Russell Keith-Magee
893cea211a Added protection against spoofing of X_FORWARDED_HOST headers. A security announcement will be made shortly.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16758 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:38 +00:00
Jannis Leidel
f0280f2e94 Fixes #16482 -- Fixes typo in security docs. Thanks, charettes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16560 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-29 09:39:55 +00:00
Luke Plant
9896b0df73 Grammar fixes and content tweaks to XSS section of security docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-17 14:17:26 +00:00
Luke Plant
f5c9c2246e Improved warning about file uploads in docs, and added link from security overview page
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-06 23:44:54 +00:00
Jannis Leidel
3ee076b135 Fixed #16248 -- Corrected a few typos in the security docs. Thanks, buddelkiste.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16397 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-14 10:34:52 +00:00
Luke Plant
528157ce73 Fixed #14201 - Add a "security overview" page to the docs
Thanks to davidfischer for the initial patch!

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16360 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-10 15:14:36 +00:00