Set 'same-origin' as default SECURE_REFERRER_POLICY

Improve security by reducing referrer information leakage to third-party sites. This aligns with best practices and closes #29406. Adds tests to confirm new default behavior.
2025-11-18 02:56:45 +00:00 · 2025-11-15 22:58:16 +00:00 · 2025-11-15 22:58:16 +00:00 · 17345274fe
commit 17345274fe
parent 7fa1a93c6c
3 changed files with 12 additions and 1 deletions
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@ -637,6 +637,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = False
 SECURE_HSTS_PRELOAD = False
 SECURE_HSTS_SECONDS = 0
 SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = None
+SECURE_REFERRER_POLICY = 'same-origin'
 SECURE_SSL_HOST = None
 SECURE_SSL_REDIRECT = False
--- a/tests/check_framework/test_security.py
+++ b/tests/check_framework/test_security.py
@ -516,6 +516,9 @@ class CheckReferrerPolicyTest(SimpleTestCase):
        SECURE_REFERRER_POLICY=None,
    )
    def test_no_referrer_policy(self):
+        """
+        Warn when SECURE_REFERRER_POLICY is explicitly set to None.
+        """
        self.assertEqual(self.func(None), [base.W022])

    @override_settings(MIDDLEWARE=[], SECURE_REFERRER_POLICY=None)
--- a/tests/middleware/test_security.py
+++ b/tests/middleware/test_security.py
@ -223,6 +223,14 @@ class SecurityMiddlewareTest(SimpleTestCase):
        ret = self.process_request("get", "/some/url")
        self.assertIsNone(ret)

+    def test_referrer_policy_default(self):
+        """
+        With the default SECURE_REFERRER_POLICY value ('same-origin'), the
+        middleware adds "Referrer-Policy: same-origin" header to the response.
+        """
+        # Test with default settings (same-origin)
+        self.assertEqual(self.process_response()['Referrer-Policy'], 'same-origin')
+
    @override_settings(SECURE_REFERRER_POLICY=None)
    def test_referrer_policy_off(self):
        """