diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/checks.txt | 3 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index b1f9e085b4..99f4e1d316 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -369,7 +369,8 @@ The following checks are run if you use the :option:`check --deploy` option: set to ``True``, so your pages will not be served with an ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS - attacks. + attacks. *This check is removed in Django 3.0 as the ``X-XSS-Protection`` + header is no longer honored by modern browsers.* * **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to ``True``. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to ``True`` or configure diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6aed2f862f..1c845b0df1 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2182,6 +2182,10 @@ Default: ``False`` If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`x-xss-protection` header on all responses that do not already have it. +Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although +the setting offers little practical benefit, you may still want to set the +header if you support older browsers. + .. setting:: SECURE_CONTENT_TYPE_NOSNIFF ``SECURE_CONTENT_TYPE_NOSNIFF`` |