diff options
| author | Claude Paroz <claude@2xlibre.net> | 2019-08-02 17:16:01 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-08-18 13:17:49 +0200 |
| commit | 04681597634a0c803246fe68b3bcb64f81e7305c (patch) | |
| tree | 62cd12dd28ae7880b158c5ad104863d41b4c9013 /docs | |
| parent | 8b4a43dda702fe72c254388f1be2c0c75b7a3efc (diff) | |
Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 6 | ||||
| -rw-r--r-- | docs/releases/3.0.txt | 6 |
2 files changed, 11 insertions, 1 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 1c845b0df1..f1d60d257b 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2191,12 +2191,16 @@ header if you support older browsers. ``SECURE_CONTENT_TYPE_NOSNIFF`` ------------------------------- -Default: ``False`` +Default: ``True`` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`x-content-type-options` header on all responses that do not already have it. +.. versionchanged:: 3.0 + + In older versions, the default value is ``False``. + .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS ``SECURE_HSTS_INCLUDE_SUBDOMAINS`` diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt index bc9cbe3751..b6b3368337 100644 --- a/docs/releases/3.0.txt +++ b/docs/releases/3.0.txt @@ -519,6 +519,12 @@ Miscellaneous field names contains an asterisk, then the ``Vary`` header will consist of a single asterisk ``'*'``. +* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With + the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the + :class:`~django.middleware.security.SecurityMiddleware` sets the + :ref:`x-content-type-options` header on all responses that do not already + have it. + .. _deprecated-features-3.0: Features deprecated in 3.0 |
