lgcosta/paperless-ngx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Not xss, but host header

Browse Source
This commit is contained in:
Daniel Quinn 2017-01-04 11:37:26 +00:00
parent 7b586e6857
commit 1711030cb5
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
paperless.conf.example
View File

@ -95,7 +95,9 @@ PAPERLESS_SHARED_SECRET=""
# If you're planning on putting Paperless on the open internet, then you # If you're planning on putting Paperless on the open internet, then you
# really should set this value to the domain name you're using. Failing to do # really should set this value to the domain name you're using. Failing to do
# so leaves you open to XSS attacks. # so leaves you open to HTTP host header attacks:
# https://docs.djangoproject.com/en/1.10/topics/security/#host-headers-virtual-hosting
#
# Just remember that this is a comma-separated list, so "example.com" is fine, # Just remember that this is a comma-separated list, so "example.com" is fine,
# as is "example.com,www.example.com", but NOT " example.com" or "example.com," # as is "example.com,www.example.com", but NOT " example.com" or "example.com,"
#PAPERLESS_ALLOWED_HOSTS="example.com,www.example.com" #PAPERLESS_ALLOWED_HOSTS="example.com,www.example.com"