summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorAdam Johnson <me@adamj.eu>2020-02-05 10:02:35 +0000
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-02-05 14:39:01 +0100
commit72b97a5b1e22f5d464045be2e33f0436fa8061d3 (patch)
treef07339168dd9fd228f9d3eab12046cc545e93b88 /docs
parent7fa1a93c6c8109010a6ff3f604fda83b604e0e97 (diff)
Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/settings.txt6
-rw-r--r--docs/releases/3.1.txt17
2 files changed, 22 insertions, 1 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index b4a5bdc48f..8c3f6f2b47 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g.
.. versionadded:: 3.0
-Default: ``None``
+Default: ``'same-origin'``
If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
the :ref:`referrer-policy` header on all responses that do not already have it
to the value provided.
+.. versionchanged:: 3.1
+
+ In older versions, the default value is ``None``.
+
.. setting:: SECURE_SSL_HOST
``SECURE_SSL_HOST``
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 4a165156e1..903e2510ba 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -285,6 +285,19 @@ Requests and Responses
* The new :meth:`.HttpRequest.accepts` method returns whether the request
accepts the given MIME type according to the ``Accept`` HTTP header.
+.. _whats-new-security-3.1:
+
+Security
+~~~~~~~~
+
+* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to
+ ``'same-origin'``. With this configured,
+ :class:`~django.middleware.security.SecurityMiddleware` sets the
+ :ref:`referrer-policy` header to ``same-origin`` on all responses that do not
+ already have it. This prevents the ``Referer`` header being sent to other
+ origins. If you need the previous behavior, explicitly set
+ :setting:`SECURE_REFERRER_POLICY` to ``None``.
+
Serialization
~~~~~~~~~~~~~
@@ -452,6 +465,10 @@ Miscellaneous
* Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
argument now raises :class:`~django.core.exceptions.FieldError`.
+* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the
+ *What's New* :ref:`Security section <whats-new-security-3.1>` above for more
+ details.
+
.. _deprecated-features-3.1:
Features deprecated in 3.1