From 268a87442e85ff6553486c2c6a7dd679c4460ed2 Mon Sep 17 00:00:00 2001
From: Bridger Maxwell <bridgeyman@gmail.com>
Date: Fri, 24 Aug 2012 14:18:49 -0400
Subject: [PATCH] Added SECURE_PROXY_SSL_HEADER to env/aws.

---
 lms/envs/aws.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lms/envs/aws.py b/lms/envs/aws.py
index 75ae712b88..a035d291e8 100644
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -23,6 +23,12 @@ DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
 MITX_FEATURES['ENABLE_DISCUSSION'] = False
 MITX_FEATURES['ENABLE_DISCUSSION_SERVICE'] = True
 
+# IMPORTANT: With this enabled, the server must always be behind a proxy that 
+# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
+# a user can fool our server into thinking it was an https connection.
+# See https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
+# for other warnings.
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 ########################### NON-SECURE ENV CONFIG ##############################
 # Things like server locations, ports, etc.