summaryrefslogtreecommitdiff
path: root/docs/topics/security.txt
AgeCommit message (Collapse)Author
2026-04-07Refs CVE-2026-33034 -- Improved security documentation on handling large ↵Jake Howard
request bodies. Notably that the limit can be bypassed under ASGI.
2025-08-25Refs #36485 -- Rewrapped docs to 79 columns line length.David Smith
Lines in the docs files were manually adjusted to conform to the 79 columns limit per line (plus newline), improving readability and consistency across the content.
2025-08-25Refs #36485 -- Removed unnecessary parentheses in :meth: and :func: roles in ↵David Smith
docs.
2025-08-19Fixed spelling of "logged-in" when used as an adjective in docs.mengxun
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-02-24Added security reporting guidelines.Sarah Boyce
2023-02-10Refs #34140 -- Applied rst code-block to non-Python examples.Carlton Gibson
Thanks to J.V. Zammit, Paolo Melchiorre, and Mariusz Felisiak for reviews.
2022-06-16Updated OWASP Top 10 link in security topic.Grammy Jiang
2022-05-17Removed versionadded/changed annotations for 4.0.Carlton Gibson
2022-02-01Fixed #30360 -- Added support for secret key rotation.tschilling
Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com>
2021-07-29Fixed 32956 -- Lowercased spelling of "web" and "web framework" where ↵David Smith
appropriate.
2021-03-30Fixed #31840 -- Added support for Cross-Origin Opener Policy header.bankc
Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com>
2020-06-17Refs #31670 -- Removed whitelist/blacklist terminology in docs and comments.David Smith
2020-06-15Fixed #31696 -- Updated OWASP links in docs.Hasan Ramezani
2020-04-22Added link to Mozilla's infosec page on web security. Mads Jensen
2020-04-07Fixed highlightlang deprecation warning on Sphinx 1.8+.Mariusz Felisiak
2019-09-09Fixed #29406 -- Added support for Referrer-Policy header.Nick Pope
Thanks to James Bennett for the initial implementation.
2019-09-06Fixed #30573 -- Rephrased documentation to avoid words that minimise the ↵Tobias Kunze
involved difficulty. This patch does not remove all occurrences of the words in question. Rather, I went through all of the occurrences of the words listed below, and judged if they a) suggested the reader had some kind of knowledge/experience, and b) if they added anything of value (including tone of voice, etc). I left most of the words alone. I looked at the following words: - simply/simple - easy/easier/easiest - obvious - just - merely - straightforward - ridiculous Thanks to Carlton Gibson for guidance on how to approach this issue, and to Tim Bell for providing the idea. But the enormous lion's share of thanks go to Adam Johnson for his patient and helpful review.
2018-12-27Updated OWASP Top 10 link to the latest version.Vedran Karačić
2018-11-15Used auto-numbered lists in documentation.François Freitag
2017-11-01Described how querysets are protected from SQL injection in more detail.Tim Graham
2016-08-10Fixed #26947 -- Added an option to enable the HSTS header preload directive.Ed Morley
2016-05-19Fixed #20869 -- made CSRF tokens change every request by salt-encrypting themShai Berger
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
2016-04-09Refs #26464 -- Added a link to OWASP Top 10 in security topic guide.Tim Graham
2016-04-04Removed a reference to Django 1.3.1 in docs.Tim Graham
2016-02-11Fixed #26206 -- Fixed docs comments causing empty code blocks.Tim Graham
2016-01-25Fixed Sphinx highlight warnings in docs.Tim Graham
2015-12-21Removed a misleading comment about HTTPS.Alex Gaynor
For all practical purposes, there are no common cases for which a website cannot be deployed with HTTPS.
2015-12-01Fixed #25778 -- Updated docs links to use https when available.Jon Dufresne
2015-11-16Fixed #25755 -- Unified spelling of "website".Agnieszka Lasyk
2015-09-04Added links to new security settings introduced in 1.8.David Sanders
2015-08-08Updated various links in docsClaude Paroz
2015-08-08Updated Wikipedia links to use httpsClaude Paroz
2015-08-05Fixed #25212 -- Documented the RawSQL expression.Tim Graham
2014-09-26Fixed #23561 -- Corrected a security doc example that requires an unquoted ↵Carl Meyer
HTML attribute. Thanks "djbug" for the report.
2014-08-18Fixed some doc errors that caused syntax highlighting to fail.Tim Graham
2014-04-25Fixed #22504 -- Corrected domain terminology in security guide.Tim Graham
Thanks chris at chrullrich.net.
2014-04-25Fixed #22493 - Added warnings to raw() and extra() docs about SQL injectionMoayad Mardini
Thanks Erik Romijn for the suggestion.
2014-03-21Removed PIL compatability layer per deprecation timeline.Tim Graham
refs #19934.
2013-11-27Added a warning regarding risks in serving user uploaded media.Tim Graham
Thanks Preston Holmes for the draft text.
2013-10-18Added a warning regarding session security and subdomains.Tim Graham
2013-04-29Fixed #20330 -- Normalized spelling of "web server".Aymeric Augustin
Thanks Baptiste Mispelon for the report.
2013-02-19Added a new required ALLOWED_HOSTS setting for HTTP host header validation.Carl Meyer
This is a security fix; disclosure and advisory coming shortly.
2012-12-29Removed django.contrib.markup.Aymeric Augustin
2012-12-26Fixed broken links, round 3. refs #19516Tim Graham
2012-12-10Fixed a security issue in get_host.Florian Apolloner
Full disclosure and new release forthcoming.
2012-09-06Formatting fix for host headers sectionDavid Fischer
2012-09-06Added CSRF with HTTPS/HSTS and forwarding noteDavid Fischer
2012-09-06Added note about Strict Transport Security (HSTS)David Fischer
2012-06-04Rewrote security.txt SSL docs, noting SECURE_PROXY_SSL_HEADER.Luke Plant