-
-
Notifications
You must be signed in to change notification settings - Fork 31k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed #26419 -- Rephrased a sentence in ALLOWED_HOSTS docs. #6357
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -65,9 +65,10 @@ See :doc:`/howto/error-reporting` for more information. | |
Default: ``[]`` (Empty list) | ||
|
||
A list of strings representing the host/domain names that this Django site can | ||
serve. This is a security measure to prevent an attacker from poisoning caches | ||
and triggering password reset emails with links to malicious hosts by submitting | ||
requests with a fake HTTP ``Host`` header, which is possible even under many | ||
serve. This is a security measure to prevent HTTP Host header attacks, in which | ||
an attacker uses malicious HTTP Host header values to inject code, trigger | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure what "inject code" is referring to. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Code Injection: https://en.wikipedia.org/wiki/Code_injection There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I elected to remove that explanation, as the page that is now linked to has an explanation already. |
||
password reset emails, etc. HTTP Host header attacks can exploit the behavior | ||
of web applications, web servers, and web caches, even under many | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not too sure about this sentence. Maybe "HTTP Host header attacks are possible even under many...." would be enough? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sounds good. |
||
seemingly-safe web server configurations. | ||
|
||
Values in this list can be fully qualified names (e.g. ``'www.example.com'``), | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could add a link to the discussion in
docs/topics/security.txt
:Also, I think a comma isn't needed before "in which".