[Django] #36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
35 views
Skip to first unread message
Django
Jan 13, 2026, 1:15:33 PMJan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
RemoteUserMiddleware asgi | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto
/auth-remote-user/ docs] explains the trust model assuming a front-end web
server that **securely** sets `REMOTE_USER` env var, but it does not
clearly address ASGI deployments where Django may be the direct HTTP
endpoint ( uvicorn, daphne examples). This can lead readers to assume that
enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is
safe.
The docs should explicitly state that `RemoteUserMiddleware` assumes a
trusted upstream that sets or strips the relevant header, and that running
ASGI servers directly on the Internet without such a proxy will allow
clients to inject identity headers. This is a documentation clarification
only and does not change behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
RemoteUserMiddleware asgi | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The current `RemoteUser` [https://docs.djangoproject.com/en/6.0/howto
/auth-remote-user/ docs] explains the trust model assuming a front-end web
server that **securely** sets `REMOTE_USER` env var, but it does not
clearly address ASGI deployments where Django may be the direct HTTP
endpoint ( uvicorn, daphne examples). This can lead readers to assume that
enabling `RemoteUserMiddleware` under ASGI without a reverse proxy is
safe.
The docs should explicitly state that `RemoteUserMiddleware` assumes a
trusted upstream that sets or strips the relevant header, and that running
ASGI servers directly on the Internet without such a proxy will allow
clients to inject identity headers. This is a documentation clarification
only and does not change behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jan 13, 2026, 1:18:57 PMJan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
-------------------------------------+-------------------------------------
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:1>
Django
Jan 13, 2026, 1:55:16 PMJan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Kundan Yadav):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
can i work on this issue ?
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:2>
Django
Jan 13, 2026, 2:29:35 PMJan 13
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: (none)
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:2 Kundan Yadav]:
> can i work on this issue ?
You are welcome to work on this ticket. That said, please note that this
is not a straightforward issue and requires strong familiarity with ASGI
and the `REMOTE_USER` authentication mechanism.
Also, please avoid relying on LLMs to drive your contribution, and ensure
that you have carefully read the contributing documentation we have
shared. In recent submissions, we have noticed that the code and
documentation style do not fully align with the guidelines outlined in the
Django [https://docs.djangoproject.com/en/6.0/internals/contributing
/writing-code/coding-style/ coding style documentation]. While some checks
are automated, others are not. We therefore expect contributors to
manually review their work and ensure it follows the documented
conventions before submitting it for review.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:3>
Django
Jan 19, 2026, 4:09:25 PMJan 19
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
-------------------------------------+-------------------------------------
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Kundan Yadav):
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: (none) => Kundan Yadav
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:4>
Django
Jan 19, 2026, 5:59:13 PMJan 19
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Kundan Yadav):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Kundan Yadav):
Comment:
https://github.com/django/django/pull/20562
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:5>
Django
Feb 6, 2026, 3:59:50 PMFeb 6
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Andrew Godwin, Carlton Gibson, Jake Howard (removed)
* has_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:6>
Django
Feb 24, 2026, 4:32:32 AMFeb 24
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by VIZZARD-X):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi, I’d like to take this up, since the owner of the ticket has not
produced a patch yet and there have been no formal updates regarding the
ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:7>
Django
Feb 24, 2026, 7:50:36 AMFeb 24
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Vizzard, the experience from #36750 hasn't given me the confidence that
you can handle multiple tickets at a time, so I'd prefer that you wait
until we bring that one to completion.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:8>
Django
Mar 1, 2026, 10:27:22 PMMar 1
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by VIZZARD-X):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hello Jacob, since #36750 is completed, can I take this ticket up with
your permission?
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:9>
Django
Mar 1, 2026, 10:29:19 PMMar 1
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by VIZZARD-X):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Kundan
Type: | Yadav
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: VIZZARD-X (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:10>
Django
Mar 23, 2026, 4:27:41 PMMar 23
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
-------------------------------------+-------------------------------------
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: Kundan Yadav => Jacob Walls
Comment:
Now that I close more duplicate reports about this more often than I
consume hot meals, if you don't mind Vizzard, I'll going to assign to
myself to put it on a critical path.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:11>
Django
Mar 29, 2026, 9:58:43 AMMar 29
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Note to self: also update security reporting guidelines.
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:12>
Django
Mar 31, 2026, 3:51:38 PMMar 31
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
RemoteUserMiddleware asgi |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: VIZZARD-X (removed)
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/21043 PR]
Comment:
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:13>
Django
Apr 1, 2026, 4:07:10 AMApr 1
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Clifford Gama):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:14>
Django
Apr 2, 2026, 9:19:17 AMApr 2
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"2ee757ee502d5663f932dc5c35175c39af4640ce" 2ee757ee]:
{{{#!CommitTicketReference repository=""
revision="2ee757ee502d5663f932dc5c35175c39af4640ce"
Fixed #36862 -- Doc'd the need for a proxy when deploying
RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:15>
Django
Apr 2, 2026, 9:23:06 AMApr 2
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"64dfc41d563afe3c66402f7906c902800d0a3ac6" 64dfc41]:
{{{#!CommitTicketReference repository=""
revision="64dfc41d563afe3c66402f7906c902800d0a3ac6"
[6.0.x] Fixed #36862 -- Doc'd the need for a proxy when deploying
RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:16>
Django
Apr 2, 2026, 11:25:32 AMApr 2
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
In [changeset:"04bcc9913319e50b376a27c29cf9aa4e7b8247bf" 04bcc991]:
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
{{{#!CommitTicketReference repository=""
revision="04bcc9913319e50b376a27c29cf9aa4e7b8247bf"
Refs #36862 -- Reiterated security note on both variants of
RemoteUserMiddleware.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:17>
Django
Apr 2, 2026, 11:27:18 AMApr 2
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
In [changeset:"640c431a47c4075538e1de0211501f911346b65e" 640c431]:
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
{{{#!CommitTicketReference repository=""
revision="640c431a47c4075538e1de0211501f911346b65e"
[6.0.x] Refs #36862 -- Reiterated security note on both variants of
RemoteUserMiddleware.
Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:18>
Django
May 6, 2026, 10:42:26 AMMay 6
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
In [changeset:"90afa9b0f4782d2344b01dab92e8aa0227ce8fe8" 90afa9b0]:
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
{{{#!CommitTicketReference repository=""
revision="90afa9b0f4782d2344b01dab92e8aa0227ce8fe8"
Refs #36862 -- Clarified security note for RemoteUserMiddleware.
Co-authored-by: Sarah Boyce <42296566+...@users.noreply.github.com>
Co-authored-by: Jake Howard <g...@theorangeone.net>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:19>
Django
May 6, 2026, 10:43:23 AMMay 6
to django-...@googlegroups.com
#36862: Clarify RemoteUserMiddleware usage and deployment requirements under ASGI
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
In [changeset:"538066963bbb87a8305a7216046c7d74b2a5fc22" 5380669]:
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: closed
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
RemoteUserMiddleware asgi | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
{{{#!CommitTicketReference repository=""
revision="538066963bbb87a8305a7216046c7d74b2a5fc22"
[6.0.x] Refs #36862 -- Clarified security note for RemoteUserMiddleware.
Co-authored-by: Sarah Boyce <42296566+...@users.noreply.github.com>
Co-authored-by: Jake Howard <g...@theorangeone.net>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36862#comment:20>
Reply all
Reply to author
Forward
0 new messages