Refs #30426 -- Moved release notes into separate security section.
This commit is contained in:
parent
fc62e16291
commit
1edbb6c194
|
@ -364,6 +364,22 @@ Requests and Responses
|
||||||
* For use in, for example, Django templates, :attr:`.HttpRequest.headers` now
|
* For use in, for example, Django templates, :attr:`.HttpRequest.headers` now
|
||||||
allows look ups using underscores (e.g. ``user_agent``) in place of hyphens.
|
allows look ups using underscores (e.g. ``user_agent``) in place of hyphens.
|
||||||
|
|
||||||
|
.. _whats-new-security-3.0:
|
||||||
|
|
||||||
|
Security
|
||||||
|
~~~~~~~~
|
||||||
|
|
||||||
|
* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. In older versions, the
|
||||||
|
:setting:`X_FRAME_OPTIONS` setting defaults to ``'SAMEORIGIN'``. If your site
|
||||||
|
uses frames of itself, you will need to explicitly set ``X_FRAME_ORIGINS =
|
||||||
|
'SAMEORIGIN'`` for them to continue working.
|
||||||
|
|
||||||
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
|
||||||
|
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
|
||||||
|
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
||||||
|
:ref:`x-content-type-options` header on all responses that do not already
|
||||||
|
have it.
|
||||||
|
|
||||||
Serialization
|
Serialization
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
@ -541,14 +557,18 @@ upload handler is used.
|
||||||
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
|
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
|
||||||
inconsistency.
|
inconsistency.
|
||||||
|
|
||||||
New default value for the ``X_FRAME_OPTIONS`` setting
|
New default values for security settings
|
||||||
-----------------------------------------------------
|
----------------------------------------
|
||||||
|
|
||||||
In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
|
To make Django projects more secure by default, some security settings now have
|
||||||
``'SAMEORIGIN'``. To make Django projects more secure by default,
|
more secure default values:
|
||||||
:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
|
|
||||||
of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
|
* :setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``.
|
||||||
for them to continue working.
|
|
||||||
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` now defaults to ``True``.
|
||||||
|
|
||||||
|
See the *What's New* :ref:`Security section <whats-new-security-3.0>` above for
|
||||||
|
more details on these changes.
|
||||||
|
|
||||||
Miscellaneous
|
Miscellaneous
|
||||||
-------------
|
-------------
|
||||||
|
@ -590,12 +610,6 @@ Miscellaneous
|
||||||
field names contains an asterisk, then the ``Vary`` header will consist of a
|
field names contains an asterisk, then the ``Vary`` header will consist of a
|
||||||
single asterisk ``'*'``.
|
single asterisk ``'*'``.
|
||||||
|
|
||||||
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting now defaults to ``True``. With
|
|
||||||
the enabled :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, the
|
|
||||||
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
|
||||||
:ref:`x-content-type-options` header on all responses that do not already
|
|
||||||
have it.
|
|
||||||
|
|
||||||
* On MySQL 8.0.16+, ``PositiveIntegerField`` and ``PositiveSmallIntegerField``
|
* On MySQL 8.0.16+, ``PositiveIntegerField`` and ``PositiveSmallIntegerField``
|
||||||
now include a check constraint to prevent negative values in the database.
|
now include a check constraint to prevent negative values in the database.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue