id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28539	"REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using ""runserver"" command"	jcmcken	Israel Fermín Montilla	"I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:

When using the ""runserver"" command in a development capacity, and a custom middleware that sets the header to ""HTTP_REMOTE_USER"", remote user auth will fail because of what's mentioned here:

https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref/request-response.txt#L164

This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.

What might also make this even more explicit is if there was an example in the docs using something like the ""curl"" command to simulate logins.

"	New feature	closed	Documentation	1.11	Normal	wontfix		jcmcken Israel Fermín Montilla	Ready for checkin	1	0	0	0	1	0