diff options
| author | Adam Johnson <me@adamj.eu> | 2020-02-05 10:02:35 +0000 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-02-05 14:39:01 +0100 |
| commit | 72b97a5b1e22f5d464045be2e33f0436fa8061d3 (patch) | |
| tree | f07339168dd9fd228f9d3eab12046cc545e93b88 /docs | |
| parent | 7fa1a93c6c8109010a6ff3f604fda83b604e0e97 (diff) | |
Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 6 | ||||
| -rw-r--r-- | docs/releases/3.1.txt | 17 |
2 files changed, 22 insertions, 1 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index b4a5bdc48f..8c3f6f2b47 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g. .. versionadded:: 3.0 -Default: ``None`` +Default: ``'same-origin'`` If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`referrer-policy` header on all responses that do not already have it to the value provided. +.. versionchanged:: 3.1 + + In older versions, the default value is ``None``. + .. setting:: SECURE_SSL_HOST ``SECURE_SSL_HOST`` diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 4a165156e1..903e2510ba 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -285,6 +285,19 @@ Requests and Responses * The new :meth:`.HttpRequest.accepts` method returns whether the request accepts the given MIME type according to the ``Accept`` HTTP header. +.. _whats-new-security-3.1: + +Security +~~~~~~~~ + +* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to + ``'same-origin'``. With this configured, + :class:`~django.middleware.security.SecurityMiddleware` sets the + :ref:`referrer-policy` header to ``same-origin`` on all responses that do not + already have it. This prevents the ``Referer`` header being sent to other + origins. If you need the previous behavior, explicitly set + :setting:`SECURE_REFERRER_POLICY` to ``None``. + Serialization ~~~~~~~~~~~~~ @@ -452,6 +465,10 @@ Miscellaneous * Providing a non-local remote field in the :attr:`.ForeignKey.to_field` argument now raises :class:`~django.core.exceptions.FieldError`. +* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the + *What's New* :ref:`Security section <whats-new-security-3.1>` above for more + details. + .. _deprecated-features-3.1: Features deprecated in 3.1 |
