| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-04-07 | Refs CVE-2026-33034 -- Improved security documentation on handling large ↵ | Jake Howard | |
| request bodies. Notably that the limit can be bypassed under ASGI. | |||
| 2025-08-25 | Refs #36485 -- Rewrapped docs to 79 columns line length. | David Smith | |
| Lines in the docs files were manually adjusted to conform to the 79 columns limit per line (plus newline), improving readability and consistency across the content. | |||
| 2025-08-25 | Refs #36485 -- Removed unnecessary parentheses in :meth: and :func: roles in ↵ | David Smith | |
| docs. | |||
| 2025-08-19 | Fixed spelling of "logged-in" when used as an adjective in docs. | mengxun | |
| 2025-06-27 | Fixed #15727 -- Added Content Security Policy (CSP) support. | Rob Hudson | |
| This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2025-02-24 | Added security reporting guidelines. | Sarah Boyce | |
| 2023-02-10 | Refs #34140 -- Applied rst code-block to non-Python examples. | Carlton Gibson | |
| Thanks to J.V. Zammit, Paolo Melchiorre, and Mariusz Felisiak for reviews. | |||
| 2022-06-16 | Updated OWASP Top 10 link in security topic. | Grammy Jiang | |
| 2022-05-17 | Removed versionadded/changed annotations for 4.0. | Carlton Gibson | |
| 2022-02-01 | Fixed #30360 -- Added support for secret key rotation. | tschilling | |
| Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> | |||
| 2021-07-29 | Fixed 32956 -- Lowercased spelling of "web" and "web framework" where ↵ | David Smith | |
| appropriate. | |||
| 2021-03-30 | Fixed #31840 -- Added support for Cross-Origin Opener Policy header. | bankc | |
| Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> | |||
| 2020-06-17 | Refs #31670 -- Removed whitelist/blacklist terminology in docs and comments. | David Smith | |
| 2020-06-15 | Fixed #31696 -- Updated OWASP links in docs. | Hasan Ramezani | |
| 2020-04-22 | Added link to Mozilla's infosec page on web security. | Mads Jensen | |
| 2020-04-07 | Fixed highlightlang deprecation warning on Sphinx 1.8+. | Mariusz Felisiak | |
| 2019-09-09 | Fixed #29406 -- Added support for Referrer-Policy header. | Nick Pope | |
| Thanks to James Bennett for the initial implementation. | |||
| 2019-09-06 | Fixed #30573 -- Rephrased documentation to avoid words that minimise the ↵ | Tobias Kunze | |
| involved difficulty. This patch does not remove all occurrences of the words in question. Rather, I went through all of the occurrences of the words listed below, and judged if they a) suggested the reader had some kind of knowledge/experience, and b) if they added anything of value (including tone of voice, etc). I left most of the words alone. I looked at the following words: - simply/simple - easy/easier/easiest - obvious - just - merely - straightforward - ridiculous Thanks to Carlton Gibson for guidance on how to approach this issue, and to Tim Bell for providing the idea. But the enormous lion's share of thanks go to Adam Johnson for his patient and helpful review. | |||
| 2018-12-27 | Updated OWASP Top 10 link to the latest version. | Vedran Karačić | |
| 2018-11-15 | Used auto-numbered lists in documentation. | François Freitag | |
| 2017-11-01 | Described how querysets are protected from SQL injection in more detail. | Tim Graham | |
| 2016-08-10 | Fixed #26947 -- Added an option to enable the HSTS header preload directive. | Ed Morley | |
| 2016-05-19 | Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them | Shai Berger | |
| Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews. | |||
| 2016-04-09 | Refs #26464 -- Added a link to OWASP Top 10 in security topic guide. | Tim Graham | |
| 2016-04-04 | Removed a reference to Django 1.3.1 in docs. | Tim Graham | |
| 2016-02-11 | Fixed #26206 -- Fixed docs comments causing empty code blocks. | Tim Graham | |
| 2016-01-25 | Fixed Sphinx highlight warnings in docs. | Tim Graham | |
| 2015-12-21 | Removed a misleading comment about HTTPS. | Alex Gaynor | |
| For all practical purposes, there are no common cases for which a website cannot be deployed with HTTPS. | |||
| 2015-12-01 | Fixed #25778 -- Updated docs links to use https when available. | Jon Dufresne | |
| 2015-11-16 | Fixed #25755 -- Unified spelling of "website". | Agnieszka Lasyk | |
| 2015-09-04 | Added links to new security settings introduced in 1.8. | David Sanders | |
| 2015-08-08 | Updated various links in docs | Claude Paroz | |
| 2015-08-08 | Updated Wikipedia links to use https | Claude Paroz | |
| 2015-08-05 | Fixed #25212 -- Documented the RawSQL expression. | Tim Graham | |
| 2014-09-26 | Fixed #23561 -- Corrected a security doc example that requires an unquoted ↵ | Carl Meyer | |
| HTML attribute. Thanks "djbug" for the report. | |||
| 2014-08-18 | Fixed some doc errors that caused syntax highlighting to fail. | Tim Graham | |
| 2014-04-25 | Fixed #22504 -- Corrected domain terminology in security guide. | Tim Graham | |
| Thanks chris at chrullrich.net. | |||
| 2014-04-25 | Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection | Moayad Mardini | |
| Thanks Erik Romijn for the suggestion. | |||
| 2014-03-21 | Removed PIL compatability layer per deprecation timeline. | Tim Graham | |
| refs #19934. | |||
| 2013-11-27 | Added a warning regarding risks in serving user uploaded media. | Tim Graham | |
| Thanks Preston Holmes for the draft text. | |||
| 2013-10-18 | Added a warning regarding session security and subdomains. | Tim Graham | |
| 2013-04-29 | Fixed #20330 -- Normalized spelling of "web server". | Aymeric Augustin | |
| Thanks Baptiste Mispelon for the report. | |||
| 2013-02-19 | Added a new required ALLOWED_HOSTS setting for HTTP host header validation. | Carl Meyer | |
| This is a security fix; disclosure and advisory coming shortly. | |||
| 2012-12-29 | Removed django.contrib.markup. | Aymeric Augustin | |
| 2012-12-26 | Fixed broken links, round 3. refs #19516 | Tim Graham | |
| 2012-12-10 | Fixed a security issue in get_host. | Florian Apolloner | |
| Full disclosure and new release forthcoming. | |||
| 2012-09-06 | Formatting fix for host headers section | David Fischer | |
| 2012-09-06 | Added CSRF with HTTPS/HSTS and forwarding note | David Fischer | |
| 2012-09-06 | Added note about Strict Transport Security (HSTS) | David Fischer | |
| 2012-06-04 | Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER. | Luke Plant | |
