Opened 4 hours ago
#35800 new Uncategorized
Clarify SECURE_PROXY_SSL_HEADER as it relates to the wsgi.url_scheme environ
Reported by: | Klaas van Schelven | Owned by: | |
---|---|---|---|
Component: | Uncategorized | Version: | 5.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Looking at the documentation of SECURE_PROXY_SSL_HEADER it seems this is an absolutely required setting to get is_secure
working correctly when behind a proxy.
However, this is not the case: Django's own WSGI handler inspects the environment value wsgi.url_scheme.
This value is "occasionally" set, e.g. when running in the default Gunicorn setup (and it happens to be set based on the exact same header as in the case of Django).
This is surprising (in the bad way)...
Perhaps the best way forward is simply to note that, depending on your wsgi server, such handling may already be in place (and that it uses the environment variable I mentioned)?