| | 49 | === Security issue in the development server (runserver) === |
| | 50 | |
| | 51 | Thanks for the report and for taking the time to submit it through the appropriate channel. |
| | 52 | |
| | 53 | After review, we've determined that this issue only affects the development server used by runserver. As documented at [0]: |
| | 54 | |
| | 55 | "This lightweight development server has not gone through security audits or performance tests, hence is unsuitable for production. Making this server able to handle a production environment is outside the scope of Django." |
| | 56 | |
| | 57 | Because of this, the behavior you reported is not considered a security issue within the Django project. That said, we appreciate your diligence and have opened a public ticket to track a regular fix for this case, with appropriate credit for your report. |
| | 58 | |
| | 59 | [0] https://docs.djangoproject.com/en/stable/ref/django-admin/#django-admin-runserver |
| | 60 | |
| | 61 | === Unauthenticated cache purge === |
| | 62 | |
| | 63 | (This is a known behavior and we've previously disregarded such reports, needs a skeleton response.) |
| | 64 | |