From 8b1f39a727be91aab40bdb37235718ed63ae1d50 Mon Sep 17 00:00:00 2001
From: Marissa Zhou <marissa.zhou@propylon.com>
Date: Fri, 5 Jun 2015 16:50:53 +0100
Subject: [PATCH] Fixed #24796 -- Added a hint on placement of
 SecurityMiddleware in MIDDLEWARE_CLASSES.

Also moved it in the project template.
---
 django/conf/project_template/project_name/settings.py | 2 +-
 docs/ref/middleware.txt                               | 6 ++++++
 docs/topics/http/middleware.txt                       | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/django/conf/project_template/project_name/settings.py b/django/conf/project_template/project_name/settings.py
index e58e229c8a..aa9bae99ac 100644
--- a/django/conf/project_template/project_name/settings.py
+++ b/django/conf/project_template/project_name/settings.py
@@ -40,6 +40,7 @@ INSTALLED_APPS = [
 ]
 
 MIDDLEWARE_CLASSES = [
+    'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
@@ -47,7 +48,6 @@ MIDDLEWARE_CLASSES = [
     'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'django.middleware.security.SecurityMiddleware',
 ]
 
 ROOT_URLCONF = '{{ project_name }}.urls'
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index 8f88b6686c..d256347577 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -411,6 +411,12 @@ Middleware ordering
 
 Here are some hints about the ordering of various Django middleware classes:
 
+#. :class:`~django.middleware.security.SecurityMiddleware`
+
+   It should go near the top of the list if you're going to turn on the SSL
+   redirect as that avoids running through a bunch of other unnecessary
+   middleware.
+
 #. :class:`~django.middleware.cache.UpdateCacheMiddleware`
 
    Before those that modify the ``Vary`` header (``SessionMiddleware``,
diff --git a/docs/topics/http/middleware.txt b/docs/topics/http/middleware.txt
index 503a95cdfe..3cd6baa520 100644
--- a/docs/topics/http/middleware.txt
+++ b/docs/topics/http/middleware.txt
@@ -28,6 +28,7 @@ here's the default value created by :djadmin:`django-admin startproject
 <startproject>`::
 
     MIDDLEWARE_CLASSES = [
+        'django.middleware.security.SecurityMiddleware',
         'django.contrib.sessions.middleware.SessionMiddleware',
         'django.middleware.common.CommonMiddleware',
         'django.middleware.csrf.CsrfViewMiddleware',
@@ -35,7 +36,6 @@ here's the default value created by :djadmin:`django-admin startproject
         'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
         'django.contrib.messages.middleware.MessageMiddleware',
         'django.middleware.clickjacking.XFrameOptionsMiddleware',
-        'django.middleware.security.SecurityMiddleware',
     ]
 
 A Django installation doesn't require any middleware —