From 817723915bdc545ca8d02b1979843398441bc42b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 08:29:35 +0000 Subject: [PATCH 1/7] Initial plan From 47b811bbe1d2a4cbac1c6b204fd1e9aef3c84f72 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 08:31:57 +0000 Subject: [PATCH 2/7] Add security considerations documentation Co-authored-by: nijel <212189+nijel@users.noreply.github.com> --- docs/index.rst | 1 + docs/security.rst | 76 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 docs/security.rst diff --git a/docs/index.rst b/docs/index.rst index e71f6e5c..683d0d51 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -24,6 +24,7 @@ Code and other contributions are welcome. The code is hosted on GitHub_. intro maintainers installing + security configuration/index pipeline strategies diff --git a/docs/security.rst b/docs/security.rst new file mode 100644 index 00000000..e6bcb253 --- /dev/null +++ b/docs/security.rst @@ -0,0 +1,76 @@ +Security considerations +======================= + +The library may use the incoming HTTP Host header when generating absolute URLs +or redirects during the authentication and authorization flow. If the Host +header is not validated by the deployment stack, it may allow host header +injection attacks. + +This is a deployment and configuration concern rather than a defect in the +library itself. The behavior is intentional, as the library needs to construct +absolute URLs for OAuth callbacks and redirects. Proper upstream validation is +required to ensure that only legitimate Host header values are accepted by your +application. + + +Reverse proxy configuration +---------------------------- + +When deploying behind a reverse proxy (such as nginx, Apache, HAProxy, or a +cloud load balancer), the proxy must validate the Host header before forwarding +requests to the application. + +Key requirements: + +* **Validate the Host header**: Only expected hostnames should be forwarded + upstream to the application. Requests with unexpected or malicious Host + values should be rejected by the proxy. + +* **Forwarded headers**: If your deployment uses forwarded headers such as + ``X-Forwarded-Host`` or the standard ``Forwarded`` header: + + * These headers must be accepted **only from trusted proxies**. + * They must **not** be blindly trusted from direct client requests. + * They must be configured explicitly in the proxy configuration. + +* **No vendor-specific details**: Configuration syntax varies across reverse + proxy implementations. Consult your proxy's documentation for Host header + validation and forwarded header handling. + + +Django configuration +-------------------- + +When using Python Social Auth with Django, proper Host header validation must +be configured at the application level using Django's built-in security +features. + +Key requirements: + +* **Configure ALLOWED_HOSTS**: The ``ALLOWED_HOSTS`` setting must be explicitly + configured with the canonical hostname(s) for your application. For example:: + + ALLOWED_HOSTS = ['example.com', 'www.example.com'] + +* **Never use wildcard in production**: The wildcard value ``"*"`` must not be + used in production environments, as it disables Host header validation + entirely. + +* **Host validation behind proxies**: Host validation must remain enabled even + when the application is deployed behind a reverse proxy. Do not disable + ``ALLOWED_HOSTS`` validation based on the assumption that the proxy will + handle it. + +* **Forwarded header settings**: If your deployment uses forwarded headers, + configure Django's ``USE_X_FORWARDED_HOST`` setting carefully. This setting + should only be enabled when: + + * The application is behind a trusted reverse proxy. + * The proxy is properly configured to set or strip forwarded headers. + * The proxy prevents clients from sending malicious forwarded headers + directly. + +For more information on Django security settings, refer to the `Django security +documentation`_. + +.. _Django security documentation: https://docs.djangoproject.com/en/stable/topics/security/ From 5a93a127d63f05f0256a2dbbdfcbb8ad432fa2bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Feb 2026 09:59:11 +0100 Subject: [PATCH 3/7] Apply suggestion from @nijel --- docs/security.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index e6bcb253..5b603fcb 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -33,10 +33,12 @@ Key requirements: * They must **not** be blindly trusted from direct client requests. * They must be configured explicitly in the proxy configuration. -* **No vendor-specific details**: Configuration syntax varies across reverse - proxy implementations. Consult your proxy's documentation for Host header - validation and forwarded header handling. +.. note:: + Configuration syntax varies across reverse + proxy implementations. Consult your proxy's documentation for Host header + validation and forwarded header handling. + Django configuration -------------------- From d3a868883a7de1a2f1692e6dd068f4a0a1a73017 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 08:59:18 +0000 Subject: [PATCH 4/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 5b603fcb..45a1b9ec 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -33,12 +33,12 @@ Key requirements: * They must **not** be blindly trusted from direct client requests. * They must be configured explicitly in the proxy configuration. -.. note:: +.. note:: Configuration syntax varies across reverse proxy implementations. Consult your proxy's documentation for Host header validation and forwarded header handling. - + Django configuration -------------------- From 125b7f7caccf98629e868a613dac4f6b2311b453 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Feb 2026 10:01:43 +0100 Subject: [PATCH 5/7] Apply suggestion from @nijel --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.rst b/docs/security.rst index 45a1b9ec..15ea8c1b 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -1,7 +1,7 @@ Security considerations ======================= -The library may use the incoming HTTP Host header when generating absolute URLs +The library may use the incoming HTTP ``Host`` header when generating absolute URLs or redirects during the authentication and authorization flow. If the Host header is not validated by the deployment stack, it may allow host header injection attacks. From 7dcf324a143e412b62b2d3d67e14fda03a32ff2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Feb 2026 10:01:58 +0100 Subject: [PATCH 6/7] Apply suggestion from @nijel --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.rst b/docs/security.rst index 15ea8c1b..1f93543d 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -2,7 +2,7 @@ Security considerations ======================= The library may use the incoming HTTP ``Host`` header when generating absolute URLs -or redirects during the authentication and authorization flow. If the Host +or redirects during the authentication and authorization flow. If the ``Host`` header is not validated by the deployment stack, it may allow host header injection attacks. From 473922f1dfdf07f6ee7e73dd589db60217ac9ff4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 17 Feb 2026 10:02:22 +0100 Subject: [PATCH 7/7] Apply suggestion from @nijel --- docs/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.rst b/docs/security.rst index 1f93543d..e27dd768 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -9,7 +9,7 @@ injection attacks. This is a deployment and configuration concern rather than a defect in the library itself. The behavior is intentional, as the library needs to construct absolute URLs for OAuth callbacks and redirects. Proper upstream validation is -required to ensure that only legitimate Host header values are accepted by your +required to ensure that only legitimate ``Host`` header values are accepted by your application.