summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2019-08-02 17:16:01 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-08-18 13:17:49 +0200
commit04681597634a0c803246fe68b3bcb64f81e7305c (patch)
tree62cd12dd28ae7880b158c5ad104863d41b4c9013
parent8b4a43dda702fe72c254388f1be2c0c75b7a3efc (diff)
Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.
-rw-r--r--django/conf/global_settings.py2
-rw-r--r--docs/ref/settings.txt6
-rw-r--r--docs/releases/3.0.txt6
-rw-r--r--tests/project_template/test_settings.py1
4 files changed, 13 insertions, 2 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 61d08ddba5..c7b6c2a4ea 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = []
# SECURITY MIDDLEWARE #
#######################
SECURE_BROWSER_XSS_FILTER = False
-SECURE_CONTENT_TYPE_NOSNIFF = False
+SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False
SECURE_HSTS_SECONDS = 0
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 1c845b0df1..f1d60d257b 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2191,12 +2191,16 @@ header if you support older browsers.
``SECURE_CONTENT_TYPE_NOSNIFF``
-------------------------------
-Default: ``False``
+Default: ``True``
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
sets the :ref:`x-content-type-options` header on all responses that do not
already have it.
+.. versionchanged:: 3.0
+
+ In older versions, the default value is ``False``.
+
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
``SECURE_HSTS_INCLUDE_SUBDOMAINS``
diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt
index bc9cbe3751..b6b3368337 100644
--- a/docs/releases/3.0.txt
+++ b/docs/releases/3.0.txt
@@ -519,6 +519,12 @@ Miscellaneous
field names contains an asterisk, then the ``Vary`` header will consist of a
single asterisk ``'*'``.
+* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
+ the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
+ :class:`~django.middleware.security.SecurityMiddleware` sets the
+ :ref:`x-content-type-options` header on all responses that do not already
+ have it.
+
.. _deprecated-features-3.0:
Features deprecated in 3.0
diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
index 0eaf950951..c76564c656 100644
--- a/tests/project_template/test_settings.py
+++ b/tests/project_template/test_settings.py
@@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase):
self.assertEqual(headers, [
b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8',
+ b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: SAMEORIGIN',
])