Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.

2025-10-24 06:06:09 +00:00 · 2019-08-02 17:16:01 +02:00
parent 8b4a43dda7
commit 0468159763
4 changed files with 13 additions and 2 deletions
--- a/docs/releases/3.0.txt
+++ b/docs/releases/3.0.txt
@@ -519,6 +519,12 @@ Miscellaneous
  field names contains an asterisk, then the ``Vary`` header will consist of a
  single asterisk ``'*'``.

+* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
+  the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
+  :class:`~django.middleware.security.SecurityMiddleware` sets the
+  :ref:`x-content-type-options` header on all responses that do not already
+  have it.
+
 .. _deprecated-features-3.0:

 Features deprecated in 3.0