mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.
This commit is contained in:
parent
8b4a43dda7
commit
0468159763
@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = []
|
|||||||
# SECURITY MIDDLEWARE #
|
# SECURITY MIDDLEWARE #
|
||||||
#######################
|
#######################
|
||||||
SECURE_BROWSER_XSS_FILTER = False
|
SECURE_BROWSER_XSS_FILTER = False
|
||||||
SECURE_CONTENT_TYPE_NOSNIFF = False
|
SECURE_CONTENT_TYPE_NOSNIFF = True
|
||||||
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
|
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
|
||||||
SECURE_HSTS_PRELOAD = False
|
SECURE_HSTS_PRELOAD = False
|
||||||
SECURE_HSTS_SECONDS = 0
|
SECURE_HSTS_SECONDS = 0
|
||||||
|
@ -2191,12 +2191,16 @@ header if you support older browsers.
|
|||||||
``SECURE_CONTENT_TYPE_NOSNIFF``
|
``SECURE_CONTENT_TYPE_NOSNIFF``
|
||||||
-------------------------------
|
-------------------------------
|
||||||
|
|
||||||
Default: ``False``
|
Default: ``True``
|
||||||
|
|
||||||
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
|
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
|
||||||
sets the :ref:`x-content-type-options` header on all responses that do not
|
sets the :ref:`x-content-type-options` header on all responses that do not
|
||||||
already have it.
|
already have it.
|
||||||
|
|
||||||
|
.. versionchanged:: 3.0
|
||||||
|
|
||||||
|
In older versions, the default value is ``False``.
|
||||||
|
|
||||||
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
|
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
|
||||||
|
|
||||||
``SECURE_HSTS_INCLUDE_SUBDOMAINS``
|
``SECURE_HSTS_INCLUDE_SUBDOMAINS``
|
||||||
|
@ -519,6 +519,12 @@ Miscellaneous
|
|||||||
field names contains an asterisk, then the ``Vary`` header will consist of a
|
field names contains an asterisk, then the ``Vary`` header will consist of a
|
||||||
single asterisk ``'*'``.
|
single asterisk ``'*'``.
|
||||||
|
|
||||||
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
|
||||||
|
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
|
||||||
|
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
||||||
|
:ref:`x-content-type-options` header on all responses that do not already
|
||||||
|
have it.
|
||||||
|
|
||||||
.. _deprecated-features-3.0:
|
.. _deprecated-features-3.0:
|
||||||
|
|
||||||
Features deprecated in 3.0
|
Features deprecated in 3.0
|
||||||
|
@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase):
|
|||||||
self.assertEqual(headers, [
|
self.assertEqual(headers, [
|
||||||
b'Content-Length: 0',
|
b'Content-Length: 0',
|
||||||
b'Content-Type: text/html; charset=utf-8',
|
b'Content-Type: text/html; charset=utf-8',
|
||||||
|
b'X-Content-Type-Options: nosniff',
|
||||||
b'X-Frame-Options: SAMEORIGIN',
|
b'X-Frame-Options: SAMEORIGIN',
|
||||||
])
|
])
|
||||||
|
Loading…
Reference in New Issue
Block a user