| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-02-10 | Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵ | 93578237 | |
| deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. | |||
| 2025-10-13 | Replaced multi-level relative imports with absolute imports in django/. | lyova24 | |
| 2025-07-23 | Refs #36500 -- Rewrapped long docstrings and block comments via a script. | django-bot | |
| Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. | |||
| 2025-06-27 | Fixed #15727 -- Added Content Security Policy (CSP) support. | Rob Hudson | |
| This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2022-02-21 | Refs #33526 -- Made ↵ | Mariusz Felisiak | |
| CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values. | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-02-01 | Fixed #30360 -- Added support for secret key rotation. | tschilling | |
| Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> | |||
| 2021-04-30 | Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. | Tim Graham | |
| 2021-03-30 | Fixed #31840 -- Added support for Cross-Origin Opener Policy header. | bankc | |
| Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> | |||
| 2021-01-14 | Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting. | Mariusz Felisiak | |
| Per deprecation timeline. | |||
| 2021-01-12 | Refs #32311 -- Fixed CSRF_FAILURE_VIEW system check errors code. | Hasan Ramezani | |
| 2021-01-12 | Fixed #32311 -- Added system check for CSRF_FAILURE_VIEW setting. | Hasan Ramezani | |
| 2020-11-11 | Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about ↵ | Artem Kosenko | |
| autogenerated default keys. Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews. | |||
| 2020-08-04 | Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting. | Mariusz Felisiak | |
| It's a transitional setting helpful in migrating multiple instance of the same project to Django 3.1+. Thanks Markus Holtermann for the report and review, Florian Apolloner for the implementation idea and review, and Carlton Gibson for the review. | |||
| 2020-07-29 | Fixed #29324 -- Made SECRET_KEY validation lazy (on first access). | Florian Apolloner | |
| 2019-09-09 | Fixed #29406 -- Added support for Referrer-Policy header. | Nick Pope | |
| Thanks to James Bennett for the initial implementation. | |||
| 2019-09-09 | Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY. | Claude Paroz | |
| 2019-08-05 | Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER ↵ | Adnan Umer | |
| setting. | |||
| 2018-10-30 | Capitalized SecurityMiddleware headers for consistency with other headers. | Artur Juraszek | |
| (No behavior change since HTTP headers are case insensitive.) | |||
| 2017-01-17 | Refs #26601 -- Removed support for old-style middleware using ↵ | Tim Graham | |
| settings.MIDDLEWARE_CLASSES. | |||
| 2016-12-19 | Fixed #27611 -- Doc'd that CSRF_COOKIE_HTTPONLY setting offers no security. | Tim Graham | |
| 2016-12-17 | Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS. | Raphael Michel | |
| 2016-11-14 | Fixed E305 flake8 warnings. | Ramin Farajpour Cami | |
| 2016-08-10 | Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD. | Ed Morley | |
| 2016-05-17 | Fixed #26601 -- Improved middleware per DEP 0005. | Florian Apolloner | |
| Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. | |||
| 2015-07-15 | Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS. | rroskam | |
| 2015-02-06 | Sorted imports with isort; refs #23860. | Tim Graham | |
| 2014-09-12 | Fixed #17101 -- Integrated django-secure and added check --deploy option | Tim Graham | |
| Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. | |||
