summaryrefslogtreecommitdiff
path: root/django/core/checks/security
AgeCommit message (Collapse)Author
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2025-10-13Replaced multi-level relative imports with absolute imports in django/.lyova24
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2022-02-21Refs #33526 -- Made ↵Mariusz Felisiak
CSRF_COOKIE_SECURE/SESSION_COOKIE_SECURE/SESSION_COOKIE_HTTPONLY don't pass on truthy values.
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-02-01Fixed #30360 -- Added support for secret key rotation.tschilling
Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com>
2021-04-30Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting.Tim Graham
2021-03-30Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2021-01-14Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting.Mariusz Felisiak
Per deprecation timeline.
2021-01-12Refs #32311 -- Fixed CSRF_FAILURE_VIEW system check errors code.Hasan Ramezani
2021-01-12Fixed #32311 -- Added system check for CSRF_FAILURE_VIEW setting.Hasan Ramezani
2020-11-11Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about ↵Artem Kosenko
autogenerated default keys. Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews.
2020-08-04Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.Mariusz Felisiak
It's a transitional setting helpful in migrating multiple instance of the same project to Django 3.1+. Thanks Markus Holtermann for the report and review, Florian Apolloner for the implementation idea and review, and Carlton Gibson for the review.
2020-07-29Fixed #29324 -- Made SECRET_KEY validation lazy (on first access).Florian Apolloner
2019-09-09Fixed #29406 -- Added support for Referrer-Policy header.Nick Pope
Thanks to James Bennett for the initial implementation.
2019-09-09Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.Claude Paroz
2019-08-05Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER ↵Adnan Umer
setting.
2018-10-30Capitalized SecurityMiddleware headers for consistency with other headers.Artur Juraszek
(No behavior change since HTTP headers are case insensitive.)
2017-01-17Refs #26601 -- Removed support for old-style middleware using ↵Tim Graham
settings.MIDDLEWARE_CLASSES.
2016-12-19Fixed #27611 -- Doc'd that CSRF_COOKIE_HTTPONLY setting offers no security.Tim Graham
2016-12-17Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS.Raphael Michel
2016-11-14Fixed E305 flake8 warnings.Ramin Farajpour Cami
2016-08-10Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD.Ed Morley
2016-05-17Fixed #26601 -- Improved middleware per DEP 0005.Florian Apolloner
Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP.
2015-07-15Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS.rroskam
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2014-09-12Fixed #17101 -- Integrated django-secure and added check --deploy optionTim Graham
Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews.