Reputation: 3356
How is the django's HttpRequest.META dictionary populated?
How is the django's HttpRequest.META dictionary populated? Do all the keys and values come from the headers of the http - request sent by the client? If so, must I assume that all of these values can be modified by the client?
I am asking because I can't find most of the keys in the headers that are displayed in my chrome debugging console. And some of those keys are definitely not the client's business, for example the username of a user logged in via Shibboleth. It makes no sense to me why this kind of data would be sent first from the server to the client and then back to the server via the http-request.
Upvotes: 1
Views: 1460
Answers (3)
Reputation: 432
I meet the same problem when i try to add custom request.META keys in DJango.
From the official document:
With the exception of CONTENT_LENGTH and CONTENT_TYPE, as given above, any HTTP headers in the request are converted to META keys by converting all characters to uppercase, replacing any hyphens with underscores and adding an HTTP_ prefix to the name. So, for example, a header called X-Bender would be mapped to the META key HTTP_X_BENDER.
Note that runserver strips all headers with underscores in the name, so you won’t see them in META. This prevents header-spoofing based on ambiguity between underscores and dashes both being normalizing to underscores in WSGI environment variables. It matches the behavior of Web servers like Nginx and Apache 2.4+.
That means if you add a header named "new_meta", it will convert to "HTTP_NEW_META", add a header named "new" will convert to "HTTP_NEW".
By the way, the other keys in request.META without "HTTP_" prefix is come from the server env, you can found them by run export on your server host.
Upvotes: 0
Reputation: 77912
Most of request.META comes from the script's environment, cf the django.core.handler.wsgi.WSGIRequest class initializer. I'm talking about the wsgi handler only here but AFAICT it's currently the only concrete handler subclass and all other deployement options end up using wsgi one way or another (cf django.core.server.fastcgi and django.core.server.basehttp).
IOW: what you get in request.META depends on what the calling script passed in, which depends on the front server etc.
Upvotes: 2
Reputation: 359
I believe you are correct, and the data should never be trusted, the only thing between you and the client is the server, e.g. ngix, which might modify the header, e.g. allow only certain size and so on. but i could be wrong :)
Upvotes: 1
Related Questions
- How can i read the data of headers of a post request sent by python requests?
- What is the request header by default in python requests
- How do you create a Django HttpRequest object with the META fields populated?
- How can I get all the request headers in Django?
- accessing request headers on django/python
- What is the default client header in Python requests?
- Python is there a way to read custom headers and send a response back
- HTTP headers list
- What is the HttpRequest metadata that's passed to a django view function
- How does wsgi handle multiple request headers with the same name?