From 7083f016c15d44cf65a7d36229c599b79bcdb054 Mon Sep 17 00:00:00 2001 From: Matt Peel <893117+madmatt@users.noreply.github.com> Date: Tue, 10 Sep 2019 12:55:24 +1200 Subject: [PATCH] Update secure coding standards As of SS4.0.0 and the introduction of TrustedProxyMiddleware, the default now if no trusted proxies are defined is that nothing is a trusted proxy, whereas in SS3 a missing declaration was treated as everything being allowed. --- docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md index a3393a72a..bbc981ab0 100644 --- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md +++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md @@ -697,9 +697,7 @@ following in your .htaccess to ensure this behaviour is activated. ``` -In a future release this behaviour will be changed to be on by default, and this environment -variable will be no longer necessary, thus it will be necessary to always set -`SS_TRUSTED_PROXY_IPS` if using a proxy. +As of SilverStripe 4, this behaviour is on by default, and the environment variable is no longer required. For correct operation, it is necessary to always set `SS_TRUSTED_PROXY_IPS` if using a proxy. ## Secure Sessions, Cookies and TLS (HTTPS)