Clarify RemoteUserMiddleware usage and deployment requirements under ASGI

[Natalia Bidart]

The current RemoteUser ​docs explains the trust model assuming a front-end web server that securely sets REMOTE_USER env var, but it does not clearly address ASGI deployments where Django may be the direct HTTP endpoint ( uvicorn, daphne examples). This can lead readers to assume that enabling RemoteUserMiddleware under ASGI without a reverse proxy is safe.

The docs should explicitly state that RemoteUserMiddleware assumes a trusted upstream that sets or strips the relevant header, and that running ASGI servers directly on the Internet without such a proxy will allow clients to inject identity headers. This is a documentation clarification only and does not change behavior.

[Kundan Yadav]

can i work on this issue ?

[Natalia Bidart]

Replying to Kundan Yadav:

can i work on this issue ?

You are welcome to work on this ticket. That said, please note that this is not a straightforward issue and requires strong familiarity with ASGI and the REMOTE_USER authentication mechanism.

Also, please avoid relying on LLMs to drive your contribution, and ensure that you have carefully read the contributing documentation we have shared. In recent submissions, we have noticed that the code and documentation style do not fully align with the guidelines outlined in the Django ​coding style documentation. While some checks are automated, others are not. We therefore expect contributors to manually review their work and ensure it follows the documented conventions before submitting it for review.

[Kundan Yadav]

​https://github.com/django/django/pull/20562