mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-03 18:38:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.

Browse source
This commit is contained in:
Claude Paroz 2019-08-02 17:16:01 +02:00 committed by Mariusz Felisiak
parent 8b4a43dda7
commit 0468159763
4 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/ref/settings.txt
View file

@ -2191,12 +2191,16 @@ header if you support older browsers.
``SECURE_CONTENT_TYPE_NOSNIFF``
-------------------------------
Default: ``False``
Default: ``True``
If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
sets the :ref:`x-content-type-options` header on all responses that do not
already have it.
.. versionchanged:: 3.0
In older versions, the default value is ``False``.
.. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
``SECURE_HSTS_INCLUDE_SUBDOMAINS``

6
docs/releases/3.0.txt
View file

@ -519,6 +519,12 @@ Miscellaneous
field names contains an asterisk, then the ``Vary`` header will consist of a
single asterisk ``'*'``.
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
:class:`~django.middleware.security.SecurityMiddleware` sets the
:ref:`x-content-type-options` header on all responses that do not already
have it.
.. _deprecated-features-3.0:
Features deprecated in 3.0