Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.

2025-10-24 06:06:09 +00:00 · 2019-08-02 17:16:01 +02:00
parent 8b4a43dda7
commit 0468159763
4 changed files with 13 additions and 2 deletions
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2191,12 +2191,16 @@ header if you support older browsers.
 ``SECURE_CONTENT_TYPE_NOSNIFF``
 -------------------------------

-Default: ``False``
+Default: ``True``

 If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
 sets the :ref:`x-content-type-options` header on all responses that do not
 already have it.

+.. versionchanged:: 3.0
+
+    In older versions, the default value is ``False``.
+
 .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS

 ``SECURE_HSTS_INCLUDE_SUBDOMAINS``