1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.

This commit is contained in:
Claude Paroz 2019-08-02 17:16:01 +02:00 committed by Mariusz Felisiak
parent 8b4a43dda7
commit 0468159763
4 changed files with 13 additions and 2 deletions

View File

@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = []
# SECURITY MIDDLEWARE # # SECURITY MIDDLEWARE #
####################### #######################
SECURE_BROWSER_XSS_FILTER = False SECURE_BROWSER_XSS_FILTER = False
SECURE_CONTENT_TYPE_NOSNIFF = False SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = False SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False SECURE_HSTS_PRELOAD = False
SECURE_HSTS_SECONDS = 0 SECURE_HSTS_SECONDS = 0

View File

@ -2191,12 +2191,16 @@ header if you support older browsers.
``SECURE_CONTENT_TYPE_NOSNIFF`` ``SECURE_CONTENT_TYPE_NOSNIFF``
------------------------------- -------------------------------
Default: ``False`` Default: ``True``
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
sets the :ref:`x-content-type-options` header on all responses that do not sets the :ref:`x-content-type-options` header on all responses that do not
already have it. already have it.
.. versionchanged:: 3.0
In older versions, the default value is ``False``.
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
``SECURE_HSTS_INCLUDE_SUBDOMAINS`` ``SECURE_HSTS_INCLUDE_SUBDOMAINS``

View File

@ -519,6 +519,12 @@ Miscellaneous
field names contains an asterisk, then the ``Vary`` header will consist of a field names contains an asterisk, then the ``Vary`` header will consist of a
single asterisk ``'*'``. single asterisk ``'*'``.
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
:class:`~django.middleware.security.SecurityMiddleware` sets the
:ref:`x-content-type-options` header on all responses that do not already
have it.
.. _deprecated-features-3.0: .. _deprecated-features-3.0:
Features deprecated in 3.0 Features deprecated in 3.0

View File

@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase):
self.assertEqual(headers, [ self.assertEqual(headers, [
b'Content-Length: 0', b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8', b'Content-Type: text/html; charset=utf-8',
b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: SAMEORIGIN', b'X-Frame-Options: SAMEORIGIN',
]) ])