REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command

[jcmcken]

I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:

When using the "runserver" command in a development capacity, and a custom middleware that sets the header to "HTTP_REMOTE_USER", remote user auth will fail because of what's mentioned here:

​https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref/request-response.txt#L164

This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.

What might also make this even more explicit is if there was an example in the docs using something like the "curl" command to simulate logins.

[jcmcken]

Proposed patch ​here.

[Israel Fermín Montilla]

I think this is a valid addition to the docs, someone checking how to perform Remote User Authentication might not be aware of this behavior and the fact that django's middleware will normalize evetything to uppercase and underscores and also prepend HTTP_ to the header name.

I left just a couple of comments on the pull request.

[Israel Fermín Montilla]

The proposed patch diff along with my comments can be found here: ​https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459

[Tim Graham]

As I commented on ​the PR, the runserver behavior of stripping underscores is documented in the docs for HttpRequest.META which is linked in the existing sentence. The example of using curl seems outside the scope of Django's documentation.