tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-28 15:39:40 +02:00
Code Issues Projects Releases Wiki Activity

Update secure coding standards

Browse Source 
As of SS4.0.0 and the introduction of TrustedProxyMiddleware, the default now if no trusted proxies are defined is that nothing is a trusted proxy, whereas in SS3 a missing declaration was treated as everything being allowed.
This commit is contained in:
Matt Peel 2019-09-10 12:55:24 +12:00 committed by GitHub
parent f788a8a927
commit 7083f016c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
View File

@ -697,9 +697,7 @@ following in your .htaccess to ensure this behaviour is activated.
</IfModule>
```
In a future release this behaviour will be changed to be on by default, and this environment
variable will be no longer necessary, thus it will be necessary to always set
`SS_TRUSTED_PROXY_IPS` if using a proxy.
As of SilverStripe 4, this behaviour is on by default, and the environment variable is no longer required. For correct operation, it is necessary to always set `SS_TRUSTED_PROXY_IPS` if using a proxy.
## Secure Sessions, Cookies and TLS (HTTPS)