summaryrefslogtreecommitdiff
path: root/docs/ref/checks.txt
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2016-12-31 13:24:00 -0500
committerTim Graham <timograham@gmail.com>2017-01-17 20:52:04 -0500
commitd334f46b7a080fd3eb720141c19b37b10704a352 (patch)
treeeeea5a2a967c3078a58455b71cfa64dc8ead2fc6 /docs/ref/checks.txt
parent631f4ab06112aca5bd6a57b81159048f936050bf (diff)
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES.
Diffstat (limited to 'docs/ref/checks.txt')
-rw-r--r--docs/ref/checks.txt22
1 files changed, 10 insertions, 12 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index fbdb34c7d9..f30d07d921 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -323,19 +323,19 @@ The following checks are run if you use the :option:`check --deploy` option:
* **security.W001**: You do not have
:class:`django.middleware.security.SecurityMiddleware` in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES` so the :setting:`SECURE_HSTS_SECONDS`,
+ :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
and :setting:`SECURE_SSL_REDIRECT` settings will have no effect.
* **security.W002**: You do not have
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES`, so your pages will not be served with an
+ :setting:`MIDDLEWARE`, so your pages will not be served with an
``'x-frame-options'`` header. Unless there is a good reason for your
site to be served in a frame, you should consider enabling this
header to help prevent clickjacking attacks.
* **security.W003**: You don't appear to be using Django's built-in cross-site
request forgery protection via the middleware
(:class:`django.middleware.csrf.CsrfViewMiddleware` is not in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES`). Enabling the middleware is the safest
+ :setting:`MIDDLEWARE`). Enabling the middleware is the safest
approach to ensure you don't leave any holes.
* **security.W004**: You have not set a value for the
:setting:`SECURE_HSTS_SECONDS` setting. If your entire site is served only
@@ -372,10 +372,9 @@ The following checks are run if you use the :option:`check --deploy` option:
sessions.
* **security.W011**: You have
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES`, but you have not set
- :setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session
- cookie makes it more difficult for network traffic sniffers to hijack user
- sessions.
+ :setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_SECURE`
+ to ``True``. Using a secure-only session cookie makes it more difficult for
+ network traffic sniffers to hijack user sessions.
* **security.W012**: :setting:`SESSION_COOKIE_SECURE` is not set to ``True``.
Using a secure-only session cookie makes it more difficult for network traffic
sniffers to hijack user sessions.
@@ -386,10 +385,9 @@ The following checks are run if you use the :option:`check --deploy` option:
sessions.
* **security.W014**: You have
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES`, but you have not set
- :setting:`SESSION_COOKIE_HTTPONLY` to ``True``. Using an ``HttpOnly`` session
- cookie makes it more difficult for cross-site scripting attacks to hijack user
- sessions.
+ :setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_HTTPONLY`
+ to ``True``. Using an ``HttpOnly`` session cookie makes it more difficult for
+ cross-site scripting attacks to hijack user sessions.
* **security.W015**: :setting:`SESSION_COOKIE_HTTPONLY` is not set to ``True``.
Using an ``HttpOnly`` session cookie makes it more difficult for cross-site
scripting attacks to hijack user sessions.
@@ -405,7 +403,7 @@ The following checks are run if you use the :option:`check --deploy` option:
deployment.
* **security.W019**: You have
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
- :setting:`MIDDLEWARE`/:setting:`MIDDLEWARE_CLASSES`, but :setting:`X_FRAME_OPTIONS` is not set to
+ :setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
for your site to serve other parts of itself in a frame, you should change
it to ``'DENY'``.