From 04681597634a0c803246fe68b3bcb64f81e7305c Mon Sep 17 00:00:00 2001
From: Claude Paroz <claude@2xlibre.net>
Date: Fri, 2 Aug 2019 17:16:01 +0200
Subject: [PATCH] Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to
 True.

---
 django/conf/global_settings.py          | 2 +-
 docs/ref/settings.txt                   | 6 +++++-
 docs/releases/3.0.txt                   | 6 ++++++
 tests/project_template/test_settings.py | 1 +
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 61d08ddba5..c7b6c2a4ea 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = []
 # SECURITY MIDDLEWARE #
 #######################
 SECURE_BROWSER_XSS_FILTER = False
-SECURE_CONTENT_TYPE_NOSNIFF = False
+SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_HSTS_INCLUDE_SUBDOMAINS = False
 SECURE_HSTS_PRELOAD = False
 SECURE_HSTS_SECONDS = 0
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 1c845b0df1..f1d60d257b 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2191,12 +2191,16 @@ header if you support older browsers.
 ``SECURE_CONTENT_TYPE_NOSNIFF``
 -------------------------------
 
-Default: ``False``
+Default: ``True``
 
 If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
 sets the :ref:`x-content-type-options` header on all responses that do not
 already have it.
 
+.. versionchanged:: 3.0
+
+    In older versions, the default value is ``False``.
+
 .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
 
 ``SECURE_HSTS_INCLUDE_SUBDOMAINS``
diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt
index bc9cbe3751..b6b3368337 100644
--- a/docs/releases/3.0.txt
+++ b/docs/releases/3.0.txt
@@ -519,6 +519,12 @@ Miscellaneous
   field names contains an asterisk, then the ``Vary`` header will consist of a
   single asterisk ``'*'``.
 
+* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
+  the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
+  :class:`~django.middleware.security.SecurityMiddleware` sets the
+  :ref:`x-content-type-options` header on all responses that do not already
+  have it.
+
 .. _deprecated-features-3.0:
 
 Features deprecated in 3.0
diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
index 0eaf950951..c76564c656 100644
--- a/tests/project_template/test_settings.py
+++ b/tests/project_template/test_settings.py
@@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase):
             self.assertEqual(headers, [
                 b'Content-Length: 0',
                 b'Content-Type: text/html; charset=utf-8',
+                b'X-Content-Type-Options: nosniff',
                 b'X-Frame-Options: SAMEORIGIN',
             ])