mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Refs #30426 -- Moved release notes into separate security section.
This commit is contained in:
parent
fc62e16291
commit
1edbb6c194
@ -364,6 +364,22 @@ Requests and Responses
|
||||
* For use in, for example, Django templates, :attr:`.HttpRequest.headers` now
|
||||
allows look ups using underscores (e.g. ``user_agent``) in place of hyphens.
|
||||
|
||||
.. _whats-new-security-3.0:
|
||||
|
||||
Security
|
||||
~~~~~~~~
|
||||
|
||||
* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. In older versions, the
|
||||
:setting:`X_FRAME_OPTIONS` setting defaults to ``'SAMEORIGIN'``. If your site
|
||||
uses frames of itself, you will need to explicitly set ``X_FRAME_ORIGINS =
|
||||
'SAMEORIGIN'`` for them to continue working.
|
||||
|
||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
|
||||
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
|
||||
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
||||
:ref:`x-content-type-options` header on all responses that do not already
|
||||
have it.
|
||||
|
||||
Serialization
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
@ -541,14 +557,18 @@ upload handler is used.
|
||||
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
|
||||
inconsistency.
|
||||
|
||||
New default value for the ``X_FRAME_OPTIONS`` setting
|
||||
-----------------------------------------------------
|
||||
New default values for security settings
|
||||
----------------------------------------
|
||||
|
||||
In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
|
||||
``'SAMEORIGIN'``. To make Django projects more secure by default,
|
||||
:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
|
||||
of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
|
||||
for them to continue working.
|
||||
To make Django projects more secure by default, some security settings now have
|
||||
more secure default values:
|
||||
|
||||
* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``.
|
||||
|
||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` now defaults to ``True``.
|
||||
|
||||
See the *What's New* :ref:`Security section <whats-new-security-3.0>` above for
|
||||
more details on these changes.
|
||||
|
||||
Miscellaneous
|
||||
-------------
|
||||
@ -590,12 +610,6 @@ Miscellaneous
|
||||
field names contains an asterisk, then the ``Vary`` header will consist of a
|
||||
single asterisk ``'*'``.
|
||||
|
||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
|
||||
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
|
||||
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
||||
:ref:`x-content-type-options` header on all responses that do not already
|
||||
have it.
|
||||
|
||||
* On MySQL 8.0.16+, ``PositiveIntegerField`` and ``PositiveSmallIntegerField``
|
||||
now include a check constraint to prevent negative values in the database.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user