Add security documentation for Host header validation

[Copilot]

The library constructs absolute URLs using the HTTP Host header for OAuth callbacks and redirects. Without proper deployment configuration, this enables host header injection attacks.

Changes

• Created docs/security.rst: New top-level section documenting Host header handling and mitigation strategies
• Updated docs/index.rst: Integrated security section in TOC between Installation and Configuration

Content Structure

Reverse proxy configuration

• Host header validation requirements
• Forwarded header trust boundaries (X-Forwarded-Host, Forwarded)
• Framework-agnostic guidance without vendor-specific configs

Django configuration

• ALLOWED_HOSTS explicit configuration requirements
• Production wildcard prohibition
• USE_X_FORWARDED_HOST trust model and proxy assumptions

Rendered Output

The documentation clarifies this is deployment-level mitigation, not a library defect, and maintains the existing tone and formatting conventions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.python.org
  • Triggering command: /usr/bin/python python -m sphinx -b html . _build/html (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.