diff options
| author | Claude Paroz <claude@2xlibre.net> | 2019-08-02 17:16:01 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-08-18 13:17:49 +0200 |
| commit | 04681597634a0c803246fe68b3bcb64f81e7305c (patch) | |
| tree | 62cd12dd28ae7880b158c5ad104863d41b4c9013 | |
| parent | 8b4a43dda702fe72c254388f1be2c0c75b7a3efc (diff) | |
Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.
| -rw-r--r-- | django/conf/global_settings.py | 2 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 6 | ||||
| -rw-r--r-- | docs/releases/3.0.txt | 6 | ||||
| -rw-r--r-- | tests/project_template/test_settings.py | 1 |
4 files changed, 13 insertions, 2 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index 61d08ddba5..c7b6c2a4ea 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = [] # SECURITY MIDDLEWARE # ####################### SECURE_BROWSER_XSS_FILTER = False -SECURE_CONTENT_TYPE_NOSNIFF = False +SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_HSTS_INCLUDE_SUBDOMAINS = False SECURE_HSTS_PRELOAD = False SECURE_HSTS_SECONDS = 0 diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 1c845b0df1..f1d60d257b 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2191,12 +2191,16 @@ header if you support older browsers. ``SECURE_CONTENT_TYPE_NOSNIFF`` ------------------------------- -Default: ``False`` +Default: ``True`` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`x-content-type-options` header on all responses that do not already have it. +.. versionchanged:: 3.0 + + In older versions, the default value is ``False``. + .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS ``SECURE_HSTS_INCLUDE_SUBDOMAINS`` diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt index bc9cbe3751..b6b3368337 100644 --- a/docs/releases/3.0.txt +++ b/docs/releases/3.0.txt @@ -519,6 +519,12 @@ Miscellaneous field names contains an asterisk, then the ``Vary`` header will consist of a single asterisk ``'*'``. +* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With + the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the + :class:`~django.middleware.security.SecurityMiddleware` sets the + :ref:`x-content-type-options` header on all responses that do not already + have it. + .. _deprecated-features-3.0: Features deprecated in 3.0 diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py index 0eaf950951..c76564c656 100644 --- a/tests/project_template/test_settings.py +++ b/tests/project_template/test_settings.py @@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase): self.assertEqual(headers, [ b'Content-Length: 0', b'Content-Type: text/html; charset=utf-8', + b'X-Content-Type-Options: nosniff', b'X-Frame-Options: SAMEORIGIN', ]) |
