CODEWITHSUNDEEP
django
Ray P.
Ray P.

Reputation: 925

HTTP headers list

I am studying Django and have created a page that shows all HTTP headers in a request using request.META dictionary. I'm running it locally and it the page shows me a weird amount of headers like 'TEMP' containing the path to my Windows temp folder, or 'PATH' with my full path parameters and much more information that I don't really find necessary to share in my browser requests (like installed applications). Is it normal? What do I do about it?

Upvotes: 0

Views: 513

Answers (1)

freakish
freakish

Reputation: 56467

So, let's jump quickly into Django's source code:

django/core/handlers/wsgi.py

class WSGIRequest(http.HttpRequest):
    def __init__(self, environ):
        ...
        self.META = environ
        self.META['PATH_INFO'] = path_info
        self.META['SCRIPT_NAME'] = script_name
        ...

This handler is used by default in runserver command and every other wsgi server. The environ dictionary comes from the underlying web server. And it is filled with lots of data. You can read more about environ dictionary here in the official wsgi docs:

https://www.python.org/dev/peps/pep-0333/#environ-variables

Also note that any web server is free to add its own variables to environ. I assume that's why you see things like TEMP. They are probably used internally by the web server.

If you wish to get headers only then wsgi mandates that headers have to start with HTTP_ prefix with the exception of CONTENT_TYPE and CONTENT_LENGTH headers.

So Django's docs are misleading. The META field contains more then headers only. It is neither correct nor incorrect, it's just how it is. Special care has to be taken when dealing with META. Leaking some of the data might be a serious security issue.

Upvotes: 1

Related Questions