Refs #30426 -- Changed default SECURE_CONTENT_TYPE_NOSNIFF to True.

django/conf/global_settings.py

@@ -628,7 +628,7 @@ SILENCED_SYSTEM_CHECKS = []
 # SECURITY MIDDLEWARE #
 #######################
 SECURE_BROWSER_XSS_FILTER = False
-SECURE_CONTENT_TYPE_NOSNIFF = False
+SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_HSTS_INCLUDE_SUBDOMAINS = False
 SECURE_HSTS_PRELOAD = False
 SECURE_HSTS_SECONDS = 0

docs/ref/settings.txt

@@ -2191,12 +2191,16 @@ header if you support older browsers.
 ``SECURE_CONTENT_TYPE_NOSNIFF``
 -------------------------------
 
-Default: ``False``
+Default: ``True``
 
 If ``True``, the :class:`~django.middleware.security.SecurityMiddleware`
 sets the :ref:`x-content-type-options` header on all responses that do not
 already have it.
 
+.. versionchanged:: 3.0
+
+    In older versions, the default value is ``False``.
+
 .. setting:: SECURE_HSTS_INCLUDE_SUBDOMAINS
 
 ``SECURE_HSTS_INCLUDE_SUBDOMAINS``

docs/releases/3.0.txt

@@ -519,6 +519,12 @@ Miscellaneous
   field names contains an asterisk, then the ``Vary`` header will consist of a
   single asterisk ``'*'``.
 
+* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
+  the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
+  :class:`~django.middleware.security.SecurityMiddleware` sets the
+  :ref:`x-content-type-options` header on all responses that do not already
+  have it.
+
 .. _deprecated-features-3.0:
 
 Features deprecated in 3.0

tests/project_template/test_settings.py

@@ -38,5 +38,6 @@ class TestStartProjectSettings(SimpleTestCase):
             self.assertEqual(headers, [
                 b'Content-Length: 0',
                 b'Content-Type: text/html; charset=utf-8',
+                b'X-Content-Type-Options: nosniff',
                 b'X-Frame-Options: SAMEORIGIN',
             ])