django.git/docs/internals/security.txt, branch stable/6.0.x

[6.0.x] Added section for respecting maintainer time to the security policy.

2026-04-02T14:37:55Z

This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.

[6.0.x] Fixed #36862 -- Doc'd the need for a proxy when deploying RemoteUserMiddleware under ASGI.

2026-04-02T13:22:17Z

We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic. Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.

[6.0.x] Adjusted default DoS severity level in Security Policy.

2026-02-26T15:21:01Z

Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.

[6.0.x] Fixed #36778 -- Extended advice to sanitize input before using in query expressions.

2025-12-08T15:25:57Z

Thanks Clifford Gama and Simon Charette for reviews. Backport of 334308efae8e0c7b1523d5583af32b674a098eba from main.

Refs #36485 -- Rewrapped docs to 79 columns line length.

2025-08-25T13:51:10Z

Lines in the docs files were manually adjusted to conform to the 79 columns limit per line (plus newline), improving readability and consistency across the content.

Clarified that only latest dependency versions are valid for security reports.

2025-06-18T14:04:34Z

Added guidance on AI-assisted security reports to docs/internals/security.txt.

2025-06-17T14:45:03Z

Co-authored-by: Shai Berger Co-authored-by: Mike Edmunds

Added security guideline on reasonable size limitations when rendering content via the DTL.

2025-02-24T07:51:08Z

This also removes the need to add warnings for every Django template filter.

Added security reporting guidelines.

2025-02-24T07:51:08Z

Updated expectations for when security reports will receive a reply.

2025-02-24T07:51:08Z