2009-12-26 11:44:21 +08:00
|
|
|
|
==========
|
|
|
|
|
Middleware
|
|
|
|
|
==========
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
.. module:: django.middleware
|
|
|
|
|
:synopsis: Django's built-in middleware classes.
|
|
|
|
|
|
|
|
|
|
This document explains all middleware components that come with Django. For
|
2011-06-20 03:40:18 +08:00
|
|
|
|
information on how to use them and how to write your own middleware, see
|
2010-08-20 03:27:44 +08:00
|
|
|
|
the :doc:`middleware usage guide </topics/http/middleware>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
Available middleware
|
|
|
|
|
====================
|
|
|
|
|
|
|
|
|
|
Cache middleware
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.cache
|
2009-02-15 13:46:00 +08:00
|
|
|
|
:synopsis: Middleware for the site-wide cache.
|
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: UpdateCacheMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: FetchFromCacheMiddleware
|
2008-09-01 17:42:15 +08:00
|
|
|
|
|
|
|
|
|
Enable the site-wide cache. If these are enabled, each Django-powered page will
|
2008-08-24 06:25:40 +08:00
|
|
|
|
be cached for as long as the :setting:`CACHE_MIDDLEWARE_SECONDS` setting
|
2010-08-20 03:27:44 +08:00
|
|
|
|
defines. See the :doc:`cache documentation </topics/cache>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
"Common" middleware
|
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.common
|
|
|
|
|
:synopsis: Middleware adding "common" conveniences for perfectionists.
|
2009-02-15 13:46:00 +08:00
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: CommonMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
Adds a few conveniences for perfectionists:
|
|
|
|
|
|
2011-10-14 08:12:01 +08:00
|
|
|
|
* Forbids access to user agents in the :setting:`DISALLOWED_USER_AGENTS`
|
2013-07-25 18:57:49 +08:00
|
|
|
|
setting, which should be a list of compiled regular expression objects.
|
2011-10-14 08:12:01 +08:00
|
|
|
|
|
|
|
|
|
* Performs URL rewriting based on the :setting:`APPEND_SLASH` and
|
|
|
|
|
:setting:`PREPEND_WWW` settings.
|
|
|
|
|
|
|
|
|
|
If :setting:`APPEND_SLASH` is ``True`` and the initial URL doesn't end
|
|
|
|
|
with a slash, and it is not found in the URLconf, then a new URL is
|
|
|
|
|
formed by appending a slash at the end. If this new URL is found in the
|
|
|
|
|
URLconf, then Django redirects the request to this new URL. Otherwise,
|
|
|
|
|
the initial URL is processed as usual.
|
|
|
|
|
|
|
|
|
|
For example, ``foo.com/bar`` will be redirected to ``foo.com/bar/`` if
|
|
|
|
|
you don't have a valid URL pattern for ``foo.com/bar`` but *do* have a
|
|
|
|
|
valid pattern for ``foo.com/bar/``.
|
|
|
|
|
|
|
|
|
|
If :setting:`PREPEND_WWW` is ``True``, URLs that lack a leading "www."
|
|
|
|
|
will be redirected to the same URL with a leading "www."
|
|
|
|
|
|
|
|
|
|
Both of these options are meant to normalize URLs. The philosophy is that
|
|
|
|
|
each URL should exist in one, and only one, place. Technically a URL
|
|
|
|
|
``foo.com/bar`` is distinct from ``foo.com/bar/`` -- a search-engine
|
|
|
|
|
indexer would treat them as separate URLs -- so it's best practice to
|
|
|
|
|
normalize URLs.
|
|
|
|
|
|
2020-10-20 15:14:48 +08:00
|
|
|
|
If necessary, individual views may be excluded from the ``APPEND_SLASH``
|
|
|
|
|
behavior using the :func:`~django.views.decorators.common.no_append_slash`
|
|
|
|
|
decorator::
|
|
|
|
|
|
|
|
|
|
from django.views.decorators.common import no_append_slash
|
|
|
|
|
|
|
|
|
|
@no_append_slash
|
|
|
|
|
def sensitive_fbv(request, *args, **kwargs):
|
|
|
|
|
"""View to be excluded from APPEND_SLASH."""
|
|
|
|
|
return HttpResponse()
|
|
|
|
|
|
2016-06-18 16:51:38 +08:00
|
|
|
|
* Sets the ``Content-Length`` header for non-streaming responses.
|
|
|
|
|
|
2014-11-05 04:19:10 +08:00
|
|
|
|
.. attribute:: CommonMiddleware.response_redirect_class
|
|
|
|
|
|
|
|
|
|
Defaults to :class:`~django.http.HttpResponsePermanentRedirect`. Subclass
|
|
|
|
|
``CommonMiddleware`` and override the attribute to customize the redirects
|
|
|
|
|
issued by the middleware.
|
|
|
|
|
|
2013-01-02 05:28:48 +08:00
|
|
|
|
.. class:: BrokenLinkEmailsMiddleware
|
|
|
|
|
|
|
|
|
|
* Sends broken link notification emails to :setting:`MANAGERS` (see
|
|
|
|
|
:doc:`/howto/error-reporting`).
|
|
|
|
|
|
2012-01-10 05:42:03 +08:00
|
|
|
|
GZip middleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.gzip
|
2012-01-10 05:42:03 +08:00
|
|
|
|
:synopsis: Middleware to serve GZipped content for performance.
|
2009-02-15 13:46:00 +08:00
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: GZipMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2022-11-21 04:46:55 +08:00
|
|
|
|
.. attribute:: max_random_bytes
|
2013-09-11 20:17:15 +08:00
|
|
|
|
|
2022-11-21 04:46:55 +08:00
|
|
|
|
Defaults to 100. Subclass ``GZipMiddleware`` and override the attribute
|
|
|
|
|
to change the maximum number of random bytes that is included with
|
|
|
|
|
compressed responses.
|
2013-09-11 20:17:15 +08:00
|
|
|
|
|
2022-11-21 04:46:55 +08:00
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
Security researchers revealed that when compression techniques (including
|
|
|
|
|
``GZipMiddleware``) are used on a website, the site may become exposed to a
|
|
|
|
|
number of possible attacks.
|
|
|
|
|
|
|
|
|
|
To mitigate attacks, Django implements a technique called *Heal The Breach
|
|
|
|
|
(HTB)*. It adds up to 100 bytes (see
|
|
|
|
|
:attr:`.max_random_bytes`) of random bytes to each response
|
|
|
|
|
to make the attacks less effective.
|
|
|
|
|
|
|
|
|
|
For more details, see the `BREACH paper (PDF)`_, `breachattack.com`_, and
|
|
|
|
|
the `Heal The Breach (HTB) paper`_.
|
|
|
|
|
|
|
|
|
|
.. _BREACH paper (PDF): https://www.breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
|
2022-12-06 12:59:43 +08:00
|
|
|
|
.. _breachattack.com: https://www.breachattack.com/
|
2022-11-21 04:46:55 +08:00
|
|
|
|
.. _Heal The Breach (HTB) paper: https://ieeexplore.ieee.org/document/9754554
|
|
|
|
|
|
|
|
|
|
.. versionchanged:: 4.2
|
|
|
|
|
|
|
|
|
|
Mitigation for the BREACH attack was added.
|
2013-09-11 20:17:15 +08:00
|
|
|
|
|
2019-09-27 03:32:56 +08:00
|
|
|
|
The ``django.middleware.gzip.GZipMiddleware`` compresses content for browsers
|
|
|
|
|
that understand GZip compression (all modern browsers).
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2012-10-17 19:03:40 +08:00
|
|
|
|
This middleware should be placed before any other middleware that need to
|
|
|
|
|
read or write the response body so that compression happens afterward.
|
2012-01-10 05:42:03 +08:00
|
|
|
|
|
2012-02-04 04:45:45 +08:00
|
|
|
|
It will NOT compress content if any of the following are true:
|
2012-01-10 05:42:03 +08:00
|
|
|
|
|
2012-02-04 04:45:45 +08:00
|
|
|
|
* The content body is less than 200 bytes long.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2012-02-04 04:45:45 +08:00
|
|
|
|
* The response has already set the ``Content-Encoding`` header.
|
|
|
|
|
|
|
|
|
|
* The request (the browser) hasn't sent an ``Accept-Encoding`` header
|
|
|
|
|
containing ``gzip``.
|
|
|
|
|
|
2016-10-11 15:42:00 +08:00
|
|
|
|
If the response has an ``ETag`` header, the ETag is made weak to comply with
|
2022-11-04 20:33:09 +08:00
|
|
|
|
:rfc:`9110#section-8.8.1`.
|
2016-10-11 15:42:00 +08:00
|
|
|
|
|
2012-02-04 04:45:45 +08:00
|
|
|
|
You can apply GZip compression to individual views using the
|
2013-01-01 21:12:42 +08:00
|
|
|
|
:func:`~django.views.decorators.gzip.gzip_page()` decorator.
|
2010-12-27 21:27:26 +08:00
|
|
|
|
|
2008-08-24 06:25:40 +08:00
|
|
|
|
Conditional GET middleware
|
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.http
|
|
|
|
|
:synopsis: Middleware handling advanced HTTP features.
|
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: ConditionalGetMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2016-04-03 18:15:10 +08:00
|
|
|
|
Handles conditional GET operations. If the response doesn't have an ``ETag``
|
2018-11-14 22:47:22 +08:00
|
|
|
|
header, the middleware adds one if needed. If the response has an ``ETag`` or
|
2008-08-24 06:25:40 +08:00
|
|
|
|
``Last-Modified`` header, and the request has ``If-None-Match`` or
|
|
|
|
|
``If-Modified-Since``, the response is replaced by an
|
2013-01-01 21:12:42 +08:00
|
|
|
|
:class:`~django.http.HttpResponseNotModified`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
Locale middleware
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.locale
|
|
|
|
|
:synopsis: Middleware to enable language selection based on the request.
|
2009-02-15 13:46:00 +08:00
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: LocaleMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2009-02-15 13:46:00 +08:00
|
|
|
|
Enables language selection based on data from the request. It customizes
|
2010-08-20 03:27:44 +08:00
|
|
|
|
content for each user. See the :doc:`internationalization documentation
|
2012-07-29 01:31:41 +08:00
|
|
|
|
</topics/i18n/translation>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2012-11-17 20:14:12 +08:00
|
|
|
|
.. attribute:: LocaleMiddleware.response_redirect_class
|
|
|
|
|
|
|
|
|
|
Defaults to :class:`~django.http.HttpResponseRedirect`. Subclass
|
|
|
|
|
``LocaleMiddleware`` and override the attribute to customize the redirects
|
|
|
|
|
issued by the middleware.
|
|
|
|
|
|
2009-12-10 00:57:23 +08:00
|
|
|
|
Message middleware
|
|
|
|
|
------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.contrib.messages.middleware
|
|
|
|
|
:synopsis: Message middleware.
|
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: MessageMiddleware
|
2009-12-10 00:57:23 +08:00
|
|
|
|
|
2009-12-26 11:44:21 +08:00
|
|
|
|
Enables cookie- and session-based message support. See the
|
2010-08-20 03:27:44 +08:00
|
|
|
|
:doc:`messages documentation </ref/contrib/messages>`.
|
2009-12-10 00:57:23 +08:00
|
|
|
|
|
2014-09-13 02:50:36 +08:00
|
|
|
|
.. _security-middleware:
|
|
|
|
|
|
|
|
|
|
Security middleware
|
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.middleware.security
|
|
|
|
|
:synopsis: Security middleware.
|
|
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
If your deployment situation allows, it's usually a good idea to have your
|
2021-07-23 14:48:16 +08:00
|
|
|
|
front-end web server perform the functionality provided by the
|
2014-09-13 02:50:36 +08:00
|
|
|
|
``SecurityMiddleware``. That way, if there are requests that aren't served
|
|
|
|
|
by Django (such as static media or user-uploaded files), they will have
|
|
|
|
|
the same protections as requests to your Django application.
|
|
|
|
|
|
|
|
|
|
.. class:: SecurityMiddleware
|
|
|
|
|
|
|
|
|
|
The ``django.middleware.security.SecurityMiddleware`` provides several security
|
|
|
|
|
enhancements to the request/response cycle. Each one can be independently
|
|
|
|
|
enabled or disabled with a setting.
|
|
|
|
|
|
|
|
|
|
* :setting:`SECURE_CONTENT_TYPE_NOSNIFF`
|
2020-08-27 00:09:19 +08:00
|
|
|
|
* :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY`
|
2014-09-13 02:50:36 +08:00
|
|
|
|
* :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`
|
2016-07-29 00:48:07 +08:00
|
|
|
|
* :setting:`SECURE_HSTS_PRELOAD`
|
2014-09-13 02:50:36 +08:00
|
|
|
|
* :setting:`SECURE_HSTS_SECONDS`
|
|
|
|
|
* :setting:`SECURE_REDIRECT_EXEMPT`
|
2019-03-22 05:33:41 +08:00
|
|
|
|
* :setting:`SECURE_REFERRER_POLICY`
|
2014-09-13 02:50:36 +08:00
|
|
|
|
* :setting:`SECURE_SSL_HOST`
|
|
|
|
|
* :setting:`SECURE_SSL_REDIRECT`
|
|
|
|
|
|
|
|
|
|
.. _http-strict-transport-security:
|
|
|
|
|
|
|
|
|
|
HTTP Strict Transport Security
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
For sites that should only be accessed over HTTPS, you can instruct modern
|
|
|
|
|
browsers to refuse to connect to your domain name via an insecure connection
|
|
|
|
|
(for a given period of time) by setting the `"Strict-Transport-Security"
|
2019-03-25 05:26:04 +08:00
|
|
|
|
header`__. This reduces your exposure to some SSL-stripping man-in-the-middle
|
2014-09-13 02:50:36 +08:00
|
|
|
|
(MITM) attacks.
|
|
|
|
|
|
|
|
|
|
``SecurityMiddleware`` will set this header for you on all HTTPS responses if
|
|
|
|
|
you set the :setting:`SECURE_HSTS_SECONDS` setting to a non-zero integer value.
|
|
|
|
|
|
|
|
|
|
When enabling HSTS, it's a good idea to first use a small value for testing,
|
|
|
|
|
for example, :setting:`SECURE_HSTS_SECONDS = 3600<SECURE_HSTS_SECONDS>` for one
|
2021-07-23 14:48:16 +08:00
|
|
|
|
hour. Each time a web browser sees the HSTS header from your site, it will
|
2014-09-13 02:50:36 +08:00
|
|
|
|
refuse to communicate non-securely (using HTTP) with your domain for the given
|
|
|
|
|
period of time. Once you confirm that all assets are served securely on your
|
|
|
|
|
site (i.e. HSTS didn't break anything), it's a good idea to increase this value
|
|
|
|
|
so that infrequent visitors will be protected (31536000 seconds, i.e. 1 year,
|
|
|
|
|
is common).
|
|
|
|
|
|
|
|
|
|
Additionally, if you set the :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` setting
|
2016-07-29 00:30:16 +08:00
|
|
|
|
to ``True``, ``SecurityMiddleware`` will add the ``includeSubDomains`` directive
|
|
|
|
|
to the ``Strict-Transport-Security`` header. This is recommended (assuming all
|
2014-09-13 02:50:36 +08:00
|
|
|
|
subdomains are served exclusively using HTTPS), otherwise your site may still
|
|
|
|
|
be vulnerable via an insecure connection to a subdomain.
|
|
|
|
|
|
2016-07-29 00:48:07 +08:00
|
|
|
|
If you wish to submit your site to the `browser preload list`_, set the
|
|
|
|
|
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. That appends the
|
|
|
|
|
``preload`` directive to the ``Strict-Transport-Security`` header.
|
|
|
|
|
|
2014-09-13 02:50:36 +08:00
|
|
|
|
.. warning::
|
|
|
|
|
The HSTS policy applies to your entire domain, not just the URL of the
|
|
|
|
|
response that you set the header on. Therefore, you should only use it if
|
|
|
|
|
your entire domain is served via HTTPS only.
|
|
|
|
|
|
|
|
|
|
Browsers properly respecting the HSTS header will refuse to allow users to
|
|
|
|
|
bypass warnings and connect to a site with an expired, self-signed, or
|
|
|
|
|
otherwise invalid SSL certificate. If you use HSTS, make sure your
|
|
|
|
|
certificates are in good shape and stay that way!
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
If you are deployed behind a load-balancer or reverse-proxy server, and the
|
|
|
|
|
``Strict-Transport-Security`` header is not being added to your responses,
|
|
|
|
|
it may be because Django doesn't realize that it's on a secure connection;
|
|
|
|
|
you may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting.
|
|
|
|
|
|
2019-03-25 05:26:04 +08:00
|
|
|
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
2017-05-20 23:51:21 +08:00
|
|
|
|
.. _browser preload list: https://hstspreload.org/
|
2014-09-13 02:50:36 +08:00
|
|
|
|
|
2019-03-22 05:33:41 +08:00
|
|
|
|
.. _referrer-policy:
|
|
|
|
|
|
|
|
|
|
Referrer Policy
|
|
|
|
|
~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Browsers use `the Referer header`__ as a way to send information to a site
|
|
|
|
|
about how users got there. When a user clicks a link, the browser will send the
|
|
|
|
|
full URL of the linking page as the referrer. While this can be useful for some
|
|
|
|
|
purposes -- like figuring out who's linking to your site -- it also can cause
|
|
|
|
|
privacy concerns by informing one site that a user was visiting another site.
|
|
|
|
|
|
|
|
|
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
|
|
|
|
|
|
|
|
|
|
Some browsers have the ability to accept hints about whether they should send
|
|
|
|
|
the HTTP ``Referer`` header when a user clicks a link; this hint is provided
|
|
|
|
|
via `the Referrer-Policy header`__. This header can suggest any of three
|
|
|
|
|
behaviors to browsers:
|
|
|
|
|
|
|
|
|
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
|
|
|
|
|
|
|
|
|
|
* Full URL: send the entire URL in the ``Referer`` header. For example, if the
|
|
|
|
|
user is visiting ``https://example.com/page.html``, the ``Referer`` header
|
|
|
|
|
would contain ``"https://example.com/page.html"``.
|
|
|
|
|
|
|
|
|
|
* Origin only: send only the "origin" in the referrer. The origin consists of
|
|
|
|
|
the scheme, host and (optionally) port number. For example, if the user is
|
|
|
|
|
visiting ``https://example.com/page.html``, the origin would be
|
|
|
|
|
``https://example.com/``.
|
|
|
|
|
|
|
|
|
|
* No referrer: do not send a ``Referer`` header at all.
|
|
|
|
|
|
|
|
|
|
There are two types of conditions this header can tell a browser to watch out
|
|
|
|
|
for:
|
|
|
|
|
|
|
|
|
|
* Same-origin versus cross-origin: a link from ``https://example.com/1.html``
|
|
|
|
|
to ``https://example.com/2.html`` is same-origin. A link from
|
|
|
|
|
``https://example.com/page.html`` to ``https://not.example.com/page.html`` is
|
|
|
|
|
cross-origin.
|
|
|
|
|
|
|
|
|
|
* Protocol downgrade: a downgrade occurs if the page containing the link is
|
|
|
|
|
served via HTTPS, but the page being linked to is not served via HTTPS.
|
|
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
When your site is served via HTTPS, :ref:`Django's CSRF protection system
|
2022-03-17 09:12:31 +08:00
|
|
|
|
<how-csrf-works>` requires the ``Referer`` header to be present, so
|
|
|
|
|
completely disabling the ``Referer`` header will interfere with CSRF
|
|
|
|
|
protection. To gain most of the benefits of disabling ``Referer`` headers
|
|
|
|
|
while also keeping CSRF protection, consider enabling only same-origin
|
|
|
|
|
referrers.
|
2019-03-22 05:33:41 +08:00
|
|
|
|
|
|
|
|
|
``SecurityMiddleware`` can set the ``Referrer-Policy`` header for you, based on
|
2019-09-11 18:55:17 +08:00
|
|
|
|
the :setting:`SECURE_REFERRER_POLICY` setting (note spelling: browsers send a
|
|
|
|
|
``Referer`` header when a user clicks a link, but the header instructing a
|
2019-03-22 05:33:41 +08:00
|
|
|
|
browser whether to do so is spelled ``Referrer-Policy``). The valid values for
|
|
|
|
|
this setting are:
|
|
|
|
|
|
|
|
|
|
``no-referrer``
|
|
|
|
|
Instructs the browser to send no referrer for links clicked on this site.
|
|
|
|
|
|
|
|
|
|
``no-referrer-when-downgrade``
|
|
|
|
|
Instructs the browser to send a full URL as the referrer, but only when no
|
|
|
|
|
protocol downgrade occurs.
|
|
|
|
|
|
|
|
|
|
``origin``
|
|
|
|
|
Instructs the browser to send only the origin, not the full URL, as the
|
|
|
|
|
referrer.
|
|
|
|
|
|
|
|
|
|
``origin-when-cross-origin``
|
|
|
|
|
Instructs the browser to send the full URL as the referrer for same-origin
|
|
|
|
|
links, and only the origin for cross-origin links.
|
|
|
|
|
|
|
|
|
|
``same-origin``
|
|
|
|
|
Instructs the browser to send a full URL, but only for same-origin links. No
|
|
|
|
|
referrer will be sent for cross-origin links.
|
|
|
|
|
|
|
|
|
|
``strict-origin``
|
|
|
|
|
Instructs the browser to send only the origin, not the full URL, and to send
|
|
|
|
|
no referrer when a protocol downgrade occurs.
|
|
|
|
|
|
|
|
|
|
``strict-origin-when-cross-origin``
|
|
|
|
|
Instructs the browser to send the full URL when the link is same-origin and
|
|
|
|
|
no protocol downgrade occurs; send only the origin when the link is
|
|
|
|
|
cross-origin and no protocol downgrade occurs; and no referrer when a
|
|
|
|
|
protocol downgrade occurs.
|
|
|
|
|
|
|
|
|
|
``unsafe-url``
|
|
|
|
|
Instructs the browser to always send the full URL as the referrer.
|
|
|
|
|
|
|
|
|
|
.. admonition:: Unknown Policy Values
|
|
|
|
|
|
|
|
|
|
Where a policy value is `unknown`__ by a user agent, it is possible to
|
|
|
|
|
specify multiple policy values to provide a fallback. The last specified
|
|
|
|
|
value that is understood takes precedence. To support this, an iterable or
|
|
|
|
|
comma-separated string can be used with :setting:`SECURE_REFERRER_POLICY`.
|
|
|
|
|
|
|
|
|
|
__ https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
|
|
|
|
|
|
2020-08-27 00:09:19 +08:00
|
|
|
|
.. _cross-origin-opener-policy:
|
|
|
|
|
|
|
|
|
|
Cross-Origin Opener Policy
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Some browsers have the ability to isolate top-level windows from other
|
|
|
|
|
documents by putting them in a separate browsing context group based on the
|
|
|
|
|
value of the `Cross-Origin Opener Policy`__ (COOP) header. If a document that
|
|
|
|
|
is isolated in this way opens a cross-origin popup window, the popup’s
|
|
|
|
|
``window.opener`` property will be ``null``. Isolating windows using COOP is a
|
|
|
|
|
defense-in-depth protection against cross-origin attacks, especially those like
|
|
|
|
|
Spectre which allowed exfiltration of data loaded into a shared browsing
|
|
|
|
|
context.
|
|
|
|
|
|
|
|
|
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
|
|
|
|
|
|
|
|
|
|
``SecurityMiddleware`` can set the ``Cross-Origin-Opener-Policy`` header for
|
|
|
|
|
you, based on the :setting:`SECURE_CROSS_ORIGIN_OPENER_POLICY` setting. The
|
|
|
|
|
valid values for this setting are:
|
|
|
|
|
|
|
|
|
|
``same-origin``
|
|
|
|
|
Isolates the browsing context exclusively to same-origin documents.
|
|
|
|
|
Cross-origin documents are not loaded in the same browsing context. This
|
|
|
|
|
is the default and most secure option.
|
|
|
|
|
|
|
|
|
|
``same-origin-allow-popups``
|
|
|
|
|
Isolates the browsing context to same-origin documents or those which
|
|
|
|
|
either don't set COOP or which opt out of isolation by setting a COOP of
|
|
|
|
|
``unsafe-none``.
|
|
|
|
|
|
|
|
|
|
``unsafe-none``
|
|
|
|
|
Allows the document to be added to its opener's browsing context group
|
|
|
|
|
unless the opener itself has a COOP of ``same-origin`` or
|
|
|
|
|
``same-origin-allow-popups``.
|
|
|
|
|
|
2014-09-13 02:50:36 +08:00
|
|
|
|
.. _x-content-type-options:
|
|
|
|
|
|
|
|
|
|
``X-Content-Type-Options: nosniff``
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Some browsers will try to guess the content types of the assets that they
|
|
|
|
|
fetch, overriding the ``Content-Type`` header. While this can help display
|
|
|
|
|
sites with improperly configured servers, it can also pose a security
|
|
|
|
|
risk.
|
|
|
|
|
|
|
|
|
|
If your site serves user-uploaded files, a malicious user could upload a
|
2015-05-01 03:39:29 +08:00
|
|
|
|
specially-crafted file that would be interpreted as HTML or JavaScript by
|
2014-09-13 02:50:36 +08:00
|
|
|
|
the browser when you expected it to be something harmless.
|
|
|
|
|
|
|
|
|
|
To prevent the browser from guessing the content type and force it to
|
|
|
|
|
always use the type provided in the ``Content-Type`` header, you can pass
|
2017-05-20 23:51:21 +08:00
|
|
|
|
the `X-Content-Type-Options: nosniff`__ header. ``SecurityMiddleware`` will
|
2014-09-13 02:50:36 +08:00
|
|
|
|
do this for all responses if the :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting
|
|
|
|
|
is ``True``.
|
|
|
|
|
|
|
|
|
|
Note that in most deployment situations where Django isn't involved in serving
|
|
|
|
|
user-uploaded files, this setting won't help you. For example, if your
|
2021-07-23 14:48:16 +08:00
|
|
|
|
:setting:`MEDIA_URL` is served directly by your front-end web server (nginx,
|
2014-09-13 02:50:36 +08:00
|
|
|
|
Apache, etc.) then you'd want to set this header there. On the other hand, if
|
|
|
|
|
you are using Django to do something like require authorization in order to
|
2021-07-23 14:48:16 +08:00
|
|
|
|
download files and you cannot set the header using your web server, this
|
2014-09-13 02:50:36 +08:00
|
|
|
|
setting will be useful.
|
|
|
|
|
|
2017-05-20 23:51:21 +08:00
|
|
|
|
__ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
2014-09-13 02:50:36 +08:00
|
|
|
|
|
|
|
|
|
.. _ssl-redirect:
|
|
|
|
|
|
|
|
|
|
SSL Redirect
|
|
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
If your site offers both HTTP and HTTPS connections, most users will end up
|
|
|
|
|
with an unsecured connection by default. For best security, you should redirect
|
|
|
|
|
all HTTP connections to HTTPS.
|
|
|
|
|
|
|
|
|
|
If you set the :setting:`SECURE_SSL_REDIRECT` setting to True,
|
|
|
|
|
``SecurityMiddleware`` will permanently (HTTP 301) redirect all HTTP
|
|
|
|
|
connections to HTTPS.
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
For performance reasons, it's preferable to do these redirects outside of
|
|
|
|
|
Django, in a front-end load balancer or reverse-proxy server such as
|
|
|
|
|
`nginx`_. :setting:`SECURE_SSL_REDIRECT` is intended for the deployment
|
|
|
|
|
situations where this isn't an option.
|
|
|
|
|
|
|
|
|
|
If the :setting:`SECURE_SSL_HOST` setting has a value, all redirects will be
|
|
|
|
|
sent to that host instead of the originally-requested host.
|
|
|
|
|
|
|
|
|
|
If there are a few pages on your site that should be available over HTTP, and
|
|
|
|
|
not redirected to HTTPS, you can list regular expressions to match those URLs
|
|
|
|
|
in the :setting:`SECURE_REDIRECT_EXEMPT` setting.
|
|
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
If you are deployed behind a load-balancer or reverse-proxy server and
|
|
|
|
|
Django can't seem to tell when a request actually is already secure, you
|
|
|
|
|
may need to set the :setting:`SECURE_PROXY_SSL_HEADER` setting.
|
|
|
|
|
|
2021-04-27 19:09:00 +08:00
|
|
|
|
.. _nginx: https://nginx.org/
|
2014-09-13 02:50:36 +08:00
|
|
|
|
|
2008-08-24 06:25:40 +08:00
|
|
|
|
Session middleware
|
|
|
|
|
------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.contrib.sessions.middleware
|
|
|
|
|
:synopsis: Session middleware.
|
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: SessionMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2010-08-20 03:27:44 +08:00
|
|
|
|
Enables session support. See the :doc:`session documentation
|
|
|
|
|
</topics/http/sessions>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2013-11-19 04:16:09 +08:00
|
|
|
|
Site middleware
|
|
|
|
|
---------------
|
|
|
|
|
|
2014-03-22 00:24:49 +08:00
|
|
|
|
.. module:: django.contrib.sites.middleware
|
2013-11-19 04:16:09 +08:00
|
|
|
|
:synopsis: Site middleware.
|
|
|
|
|
|
|
|
|
|
.. class:: CurrentSiteMiddleware
|
|
|
|
|
|
|
|
|
|
Adds the ``site`` attribute representing the current site to every incoming
|
|
|
|
|
``HttpRequest`` object. See the :ref:`sites documentation <site-middleware>`.
|
|
|
|
|
|
2008-08-24 06:25:40 +08:00
|
|
|
|
Authentication middleware
|
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
|
|
.. module:: django.contrib.auth.middleware
|
2009-02-15 13:46:00 +08:00
|
|
|
|
:synopsis: Authentication middleware.
|
|
|
|
|
|
2010-11-28 05:58:20 +08:00
|
|
|
|
.. class:: AuthenticationMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2009-02-15 13:46:00 +08:00
|
|
|
|
Adds the ``user`` attribute, representing the currently-logged-in user, to
|
2021-07-23 14:48:16 +08:00
|
|
|
|
every incoming ``HttpRequest`` object. See :ref:`Authentication in web requests
|
2012-12-29 03:00:11 +08:00
|
|
|
|
<auth-web-requests>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2014-04-16 19:22:15 +08:00
|
|
|
|
.. class:: RemoteUserMiddleware
|
|
|
|
|
|
2021-07-23 14:48:16 +08:00
|
|
|
|
Middleware for utilizing web server provided authentication. See
|
2014-04-16 19:22:15 +08:00
|
|
|
|
:doc:`/howto/auth-remote-user` for usage details.
|
|
|
|
|
|
2015-06-27 02:59:57 +08:00
|
|
|
|
.. class:: PersistentRemoteUserMiddleware
|
|
|
|
|
|
2021-07-23 14:48:16 +08:00
|
|
|
|
Middleware for utilizing web server provided authentication when enabled only
|
2015-06-27 02:59:57 +08:00
|
|
|
|
on the login page. See :ref:`persistent-remote-user-middleware-howto` for usage
|
|
|
|
|
details.
|
|
|
|
|
|
2008-08-24 06:25:40 +08:00
|
|
|
|
CSRF protection middleware
|
|
|
|
|
--------------------------
|
|
|
|
|
|
2019-06-03 18:39:48 +08:00
|
|
|
|
.. currentmodule:: django.middleware.csrf
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2011-11-13 01:37:29 +08:00
|
|
|
|
.. class:: CsrfViewMiddleware
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
|
|
|
|
Adds protection against Cross Site Request Forgeries by adding hidden form
|
|
|
|
|
fields to POST forms and checking requests for the correct value. See the
|
2014-11-01 06:39:46 +08:00
|
|
|
|
:doc:`Cross Site Request Forgery protection documentation </ref/csrf>`.
|
2008-08-24 06:25:40 +08:00
|
|
|
|
|
2016-01-25 05:26:11 +08:00
|
|
|
|
``X-Frame-Options`` middleware
|
|
|
|
|
------------------------------
|
2011-05-31 06:27:47 +08:00
|
|
|
|
|
2019-06-03 18:39:48 +08:00
|
|
|
|
.. currentmodule:: django.middleware.clickjacking
|
2011-05-31 06:27:47 +08:00
|
|
|
|
|
|
|
|
|
.. class:: XFrameOptionsMiddleware
|
|
|
|
|
|
|
|
|
|
Simple :doc:`clickjacking protection via the X-Frame-Options header </ref/clickjacking/>`.
|
2014-05-22 23:08:32 +08:00
|
|
|
|
|
|
|
|
|
.. _middleware-ordering:
|
|
|
|
|
|
|
|
|
|
Middleware ordering
|
|
|
|
|
===================
|
|
|
|
|
|
|
|
|
|
Here are some hints about the ordering of various Django middleware classes:
|
|
|
|
|
|
2015-06-05 23:50:53 +08:00
|
|
|
|
#. :class:`~django.middleware.security.SecurityMiddleware`
|
|
|
|
|
|
|
|
|
|
It should go near the top of the list if you're going to turn on the SSL
|
|
|
|
|
redirect as that avoids running through a bunch of other unnecessary
|
|
|
|
|
middleware.
|
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
#. :class:`~django.middleware.cache.UpdateCacheMiddleware`
|
|
|
|
|
|
|
|
|
|
Before those that modify the ``Vary`` header (``SessionMiddleware``,
|
|
|
|
|
``GZipMiddleware``, ``LocaleMiddleware``).
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.middleware.gzip.GZipMiddleware`
|
|
|
|
|
|
|
|
|
|
Before any middleware that may change or use the response body.
|
|
|
|
|
|
|
|
|
|
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.contrib.sessions.middleware.SessionMiddleware`
|
|
|
|
|
|
2019-09-11 18:55:17 +08:00
|
|
|
|
Before any middleware that may raise an exception to trigger an error
|
2019-01-22 16:56:48 +08:00
|
|
|
|
view (such as :exc:`~django.core.exceptions.PermissionDenied`) if you're
|
|
|
|
|
using :setting:`CSRF_USE_SESSIONS`.
|
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
After ``UpdateCacheMiddleware``: Modifies ``Vary`` header.
|
|
|
|
|
|
2017-11-12 09:45:17 +08:00
|
|
|
|
#. :class:`~django.middleware.http.ConditionalGetMiddleware`
|
|
|
|
|
|
|
|
|
|
Before any middleware that may change the response (it sets the ``ETag``
|
|
|
|
|
header).
|
|
|
|
|
|
|
|
|
|
After ``GZipMiddleware`` so it won't calculate an ``ETag`` header on gzipped
|
|
|
|
|
contents.
|
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
#. :class:`~django.middleware.locale.LocaleMiddleware`
|
|
|
|
|
|
|
|
|
|
One of the topmost, after ``SessionMiddleware`` (uses session data) and
|
2015-07-26 15:48:24 +08:00
|
|
|
|
``UpdateCacheMiddleware`` (modifies ``Vary`` header).
|
2014-05-22 23:08:32 +08:00
|
|
|
|
|
|
|
|
|
#. :class:`~django.middleware.common.CommonMiddleware`
|
|
|
|
|
|
2017-11-08 23:02:30 +08:00
|
|
|
|
Before any middleware that may change the response (it sets the
|
|
|
|
|
``Content-Length`` header). A middleware that appears before
|
|
|
|
|
``CommonMiddleware`` and changes the response must reset ``Content-Length``.
|
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
Close to the top: it redirects when :setting:`APPEND_SLASH` or
|
|
|
|
|
:setting:`PREPEND_WWW` are set to ``True``.
|
|
|
|
|
|
2019-01-22 16:56:48 +08:00
|
|
|
|
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
|
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
#. :class:`~django.middleware.csrf.CsrfViewMiddleware`
|
|
|
|
|
|
|
|
|
|
Before any view middleware that assumes that CSRF attacks have been dealt
|
|
|
|
|
with.
|
|
|
|
|
|
2019-10-02 19:11:03 +08:00
|
|
|
|
Before :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`, or any
|
|
|
|
|
other authentication middleware that may perform a login, and hence rotate
|
|
|
|
|
the CSRF token, before calling down the middleware chain.
|
|
|
|
|
|
2019-01-22 16:56:48 +08:00
|
|
|
|
After ``SessionMiddleware`` if you're using :setting:`CSRF_USE_SESSIONS`.
|
2016-07-01 00:42:11 +08:00
|
|
|
|
|
2014-05-22 23:08:32 +08:00
|
|
|
|
#. :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`
|
|
|
|
|
|
|
|
|
|
After ``SessionMiddleware``: uses session storage.
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.contrib.messages.middleware.MessageMiddleware`
|
|
|
|
|
|
|
|
|
|
After ``SessionMiddleware``: can use session-based storage.
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.middleware.cache.FetchFromCacheMiddleware`
|
|
|
|
|
|
|
|
|
|
After any middleware that modifies the ``Vary`` header: that header is used
|
|
|
|
|
to pick a value for the cache hash-key.
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware`
|
|
|
|
|
|
|
|
|
|
Should be near the bottom as it's a last-resort type of middleware.
|
|
|
|
|
|
|
|
|
|
#. :class:`~django.contrib.redirects.middleware.RedirectFallbackMiddleware`
|
|
|
|
|
|
|
|
|
|
Should be near the bottom as it's a last-resort type of middleware.
|