Friday, November 29, 2013

Re: Email Templates and the full website URL

On Fri, Nov 29, 2013 at 2:09 PM, Joseph Mutumi <jjmutumi@gmail.com> wrote:
> That could work but isn't it a bit insecure? I think it will be susceptible
> to a header injection(http://en.wikipedia.org/wiki/HTTP_header_injection). I
> would rather create a setting with the domain name in settings.py and then
> call it from the template or write a custom template tag.

Possibly; if you are using vhosts at all, then the host header is hard
to spoof, as in order to be routed to your application, the request
must already have the appropriate header.

If you don't use vhosts, then it is in any case wise to apply host
name canonicalisation to your website - your site may respond to
'www.foo.com' and 'foo.com', but requests for 'foo.com/blah' are
immediately redirected to 'www.foo.com/blah'. This will aid with SEO
and provide absolute, consistent URLs.

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFHbX1JTkO7DNSVN%3Dj7AMR%3DhuS6uET1WcOfC%2B0jOYOuRW0hHWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

No comments:

Post a Comment