diff options
| author | Nick Pope <nick.pope@flightdataservices.com> | 2019-09-02 00:19:16 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-09-09 13:35:31 +0200 |
| commit | 1edbb6c19405a629200ba3683968f3dba2744e7e (patch) | |
| tree | 054a66b88964324f072b92f93d17e771f86b97f1 | |
| parent | fc62e16291136513ac0d67d6a2c71e8674740435 (diff) | |
Refs #30426 -- Moved release notes into separate security section.
| -rw-r--r-- | docs/releases/3.0.txt | 40 |
1 files changed, 27 insertions, 13 deletions
diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt index 11fb46b6a5..a930a17768 100644 --- a/docs/releases/3.0.txt +++ b/docs/releases/3.0.txt @@ -364,6 +364,22 @@ Requests and Responses * For use in, for example, Django templates, :attr:`.HttpRequest.headers` now allows look ups using underscores (e.g. ``user_agent``) in place of hyphens. +.. _whats-new-security-3.0: + +Security +~~~~~~~~ + +* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. In older versions, the + :setting:`X_FRAME_OPTIONS` setting defaults to ``'SAMEORIGIN'``. If your site + uses frames of itself, you will need to explicitly set ``X_FRAME_ORIGINS = + 'SAMEORIGIN'`` for them to continue working. + +* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With + the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the + :class:`~django.middleware.security.SecurityMiddleware` sets the + :ref:`x-content-type-options` header on all responses that do not already + have it. + Serialization ~~~~~~~~~~~~~ @@ -541,14 +557,18 @@ upload handler is used. ``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this inconsistency. -New default value for the ``X_FRAME_OPTIONS`` setting ------------------------------------------------------ +New default values for security settings +---------------------------------------- -In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to -``'SAMEORIGIN'``. To make Django projects more secure by default, -:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames -of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'`` -for them to continue working. +To make Django projects more secure by default, some security settings now have +more secure default values: + +* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. + +* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` now defaults to ``True``. + +See the *What's New* :ref:`Security section <whats-new-security-3.0>` above for +more details on these changes. Miscellaneous ------------- @@ -590,12 +610,6 @@ Miscellaneous field names contains an asterisk, then the ``Vary`` header will consist of a single asterisk ``'*'``. -* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With - the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the - :class:`~django.middleware.security.SecurityMiddleware` sets the - :ref:`x-content-type-options` header on all responses that do not already - have it. - * On MySQL 8.0.16+, ``PositiveIntegerField`` and ``PositiveSmallIntegerField`` now include a check constraint to prevent negative values in the database. |