Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Merge pull request #331 from davidfischer/master

Ticket #17324 - Improve security docs with better CSRF explanation
  • Loading branch information...
commit 257c4011cb887524048acb8796b130761617d195 2 parents 4624906 + 5878689
James Bennett authored September 07, 2012

Showing 1 changed file with 26 additions and 6 deletions. Show diff stats Hide diff stats

  1. 32  docs/topics/security.txt
32  docs/topics/security.txt
@@ -76,9 +76,17 @@ POST to your Web site and have another logged in user unwittingly submit that
76 76
 form. The malicious user would have to know the nonce, which is user specific
77 77
 (using a cookie).
78 78
 
  79
+When deployed with :ref:`HTTPS <security-recommendation-ssl>`, 
  80
+``CsrfViewMiddleware`` will check that the HTTP referer header is set to a 
  81
+URL on the same origin (including subdomain and port). Because HTTPS
  82
+provides additional security, it is imperative to ensure connections use HTTPS
  83
+where it is available by forwarding insecure connection requests and using
  84
+HSTS for supported browsers.
  85
+
79 86
 Be very careful with marking views with the ``csrf_exempt`` decorator unless
80 87
 it is absolutely necessary.
81 88
 
  89
+
82 90
 SQL injection protection
83 91
 ========================
84 92
 
@@ -112,6 +120,8 @@ The middleware is strongly recommended for any site that does not need to have
112 120
 its pages wrapped in a frame by third party sites, or only needs to allow that
113 121
 for a small section of the site.
114 122
 
  123
+.. _security-recommendation-ssl:
  124
+
115 125
 SSL/HTTPS
116 126
 =========
117 127
 
@@ -147,7 +157,15 @@ server, there are some additional steps you may need:
147 157
   any POST data being accepted over HTTP (which will be fine if you are
148 158
   redirecting all HTTP traffic to HTTPS).
149 159
 
150  
-.. _additional-security-topics:
  160
+* Use HTTP Strict Transport Security (HSTS)
  161
+
  162
+  HSTS is an HTTP header that informs a browser that all future connections
  163
+  to a particular site should always use HTTPS. Combined with redirecting
  164
+  requests over HTTP to HTTPS, this will ensure that connections always enjoy
  165
+  the added security of SSL provided one successful connection has occurred.
  166
+  HSTS is usually configured on the web server.
  167
+
  168
+.. _host-headers-virtual-hosting:
151 169
 
152 170
 Host headers and virtual hosting
153 171
 ================================
@@ -158,15 +176,17 @@ Site Scripting attacks, they can be used for Cross-Site Request
158 176
 Forgery and cache poisoning attacks in some circumstances. We
159 177
 recommend you ensure your Web server is configured such that:
160 178
 
161  
-    * It always validates incoming HTTP ``Host`` headers against the expected
162  
-      host name.
163  
-    * Disallows requests with no ``Host`` header.
164  
-    * Is *not* configured with a catch-all virtual host that forwards requests
165  
-      to a Django application.
  179
+* It always validates incoming HTTP ``Host`` headers against the expected
  180
+  host name.
  181
+* Disallows requests with no ``Host`` header.
  182
+* Is *not* configured with a catch-all virtual host that forwards requests
  183
+  to a Django application.
166 184
 
167 185
 Additionally, as of 1.3.1, Django requires you to explicitly enable support for
168 186
 the ``X-Forwarded-Host`` header if your configuration requires it.
169 187
 
  188
+.. _additional-security-topics:
  189
+
170 190
 Additional security topics
171 191
 ==========================
172 192
 

0 notes on commit 257c401

Please sign in to comment.
Something went wrong with that request. Please try again.