[Django] #36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
2 views
Skip to first unread message
Django
Jan 13, 2026, 1:15:33 PM (2 days ago) Jan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
RemoteUserMiddleware asgi | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto
/auth-remote-user/ docs] explains the trust model assuming a front-end web
server that **securely** sets `REMOTE_USER` env var, but it does not
clearly address ASGI deployments where Django may be the direct HTTP
endpoint ( uvicorn, daphne examples). This can lead readers to assume that
enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is
safe.
The docs should explicitly state that `RemoteUserMiddleware` assumes a
trusted upstream that sets or strips the relevant header, and that running
ASGI servers directly on the Internet without such a proxy will allow
clients to inject identity headers. This is a documentation clarification
only and does not change behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
RemoteUserMiddleware asgi | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto
/auth-remote-user/ docs] explains the trust model assuming a front-end web
server that **securely** sets `REMOTE_USER` env var, but it does not
clearly address ASGI deployments where Django may be the direct HTTP
endpoint ( uvicorn, daphne examples). This can lead readers to assume that
enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is
safe.
The docs should explicitly state that `RemoteUserMiddleware` assumes a
trusted upstream that sets or strips the relevant header, and that running
ASGI servers directly on the Internet without such a proxy will allow
clients to inject identity headers. This is a documentation clarification
only and does not change behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jan 13, 2026, 1:18:57 PM (2 days ago) Jan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
-------------------------------------+-------------------------------------
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:1>
Django
Jan 13, 2026, 1:55:16 PM (2 days ago) Jan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Kundan Yadav):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
can i work on this issue ?
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:2>
Django
Jan 13, 2026, 2:29:35 PM (2 days ago) Jan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:2 Kundan Yadav]:
> can i work on this issue ?
You are welcome to work on this ticket. That said, please note that this
is not a straightforward issue and requires strong familiarity with ASGI
and the `REMOTE_USER` authentication mechanism.
Also, please avoid relying on LLMs to drive your contribution, and ensure
that you have carefully read the contributing documentation we have
shared. In recent submissions, we have noticed that the code and
documentation style do not fully align with the guidelines outlined in the
Django [https://docs.djangoproject.com/en/6.0/internals/contributing
/writing-code/coding-style/ coding style documentation]. While some checks
are automated, others are not. We therefore expect contributors to
manually review their work and ensure it follows the documented
conventions before submitting it for review.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:3>
Reply all
Reply to author
Forward
0 new messages