Add a "security overview" page to the docs
|Reported by:||Russell Keith-Magee||Owned by:||David Fischer|
|Cc:||djfische@…||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
We should have a single place in the docs that addresses security issues, in the same vein as the discussion on database optimization.
This is to highlight problems that aren't security issues, but could lead to security issues if not addressed or understood adequately.
- How XSS is handled
- How CSRF is handled
- Limitations of Django's CSRF handling with MItM attacks and with untrusted subdomains.
- Server configuration issues that should be kept in mind (e.g., keeping code out of the server root, throttling file upload size c.f. #14192).