mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Code Issues 32 Releases Wiki Activity

Capitalized SecurityMiddleware headers for consistency with other headers.

Browse Source 
(No behavior change since HTTP headers are case insensitive.)
This commit is contained in:
Artur Juraszek
2018-10-29 23:19:04 +01:00
committed by Tim Graham
parent c1c68d1ac0
commit 817c6cdf0e
4 changed files with 40 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
django/core/checks/security/base.py
View File

@@ -45,7 +45,7 @@ W005 = Warning(
W006 = Warning(
"Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
"so your pages will not be served with an "
"'x-content-type-options: nosniff' header. "
"'X-Content-Type-Options: nosniff' header. "
"You should consider enabling this header to prevent the "
"browser from identifying content types incorrectly.",
id='security.W006',
@@ -54,7 +54,7 @@ W006 = Warning(
W007 = Warning(
"Your SECURE_BROWSER_XSS_FILTER setting is not set to True, "
"so your pages will not be served with an "
"'x-xss-protection: 1; mode=block' header. "
"'X-XSS-Protection: 1; mode=block' header. "
"You should consider enabling this header to activate the "
"browser's XSS filtering and help prevent XSS attacks.",
id='security.W007',

8
django/middleware/security.py
View File

@@ -29,18 +29,18 @@ class SecurityMiddleware(MiddlewareMixin):
def process_response(self, request, response):
if (self.sts_seconds and request.is_secure() and
'strict-transport-security' not in response):
'Strict-Transport-Security' not in response):
sts_header = "max-age=%s" % self.sts_seconds
if self.sts_include_subdomains:
sts_header = sts_header + "; includeSubDomains"
if self.sts_preload:
sts_header = sts_header + "; preload"
response["strict-transport-security"] = sts_header
response['Strict-Transport-Security'] = sts_header
if self.content_type_nosniff:
response.setdefault('x-content-type-options', 'nosniff')
response.setdefault('X-Content-Type-Options', 'nosniff')
if self.xss_filter:
response.setdefault('x-xss-protection', '1; mode=block')
response.setdefault('X-XSS-Protection', '1; mode=block')
return response