id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36862	Clarify RemoteUserMiddleware usage and deployment requirements under ASGI	Natalia Bidart	Jacob Walls	"The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto/auth-remote-user/ docs] explains the trust model assuming a front-end web server that **securely** sets `REMOTE_USER` env var, but it does not clearly address ASGI deployments where Django may be the direct HTTP endpoint ( uvicorn, daphne examples). This can lead readers to assume that enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is safe.

The docs should explicitly state that `RemoteUserMiddleware` assumes a trusted upstream that sets or strips the relevant header, and that running ASGI servers directly on the Internet without such a proxy will allow clients to inject identity headers. This is a documentation clarification only and does not change behavior."	Cleanup/optimization	closed	Documentation	6.0	Normal	fixed	RemoteUserMiddleware asgi		Ready for checkin	1	0	0	0	0	0