Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

django setting variable SECURE_PROXY_SSL_HEADER with heroku

I am trying to set variables related to https/ssl on django 1.8 with heroku. but in Django 1.8 tutorial, it saids that i should be careful setting this variable expecially "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')"

In django 1.8 tutorial it saids

Warning

You will probably open security holes in your site if you set this without knowing what you’re doing. And if you fail to set it when you should. Seriously.

Make sure ALL of the following are true before setting this (assuming the values from the example above):

  • Your Django app is behind a proxy.
  • Your proxy strips the X-Forwarded-Proto header from all incoming requests. In other words, if end users include that header in their requests, the proxy will discard it.
  • Your proxy sets the X-Forwarded-Proto header and sends it to Django, but only for requests that originally come in via HTTPS.

If any of those are not true, you should keep this setting set to None and find another way of determining HTTPS, perhaps via custom middleware.

And when i use heroku does if fulfill all these conditions? Should i keep going on?

like image 890
nextdoordoc Avatar asked May 31 '16 07:05

nextdoordoc


1 Answers

yep - you should be fine - see the heroku docs: https://devcenter.heroku.com/articles/http-routing#heroku-headers

like image 198
Ammar Akhtar Avatar answered Oct 26 '22 04:10

Ammar Akhtar