Fixed #24796 -- Added a hint on placement of SecurityMiddleware in MIDDLEWARE_CLASSES.

Also moved it in the project template.
2015-06-05 16:50:53 +01:00 · 2015-06-05 16:50:53 +01:00 · 8b1f39a727
parent 167a3203b6
commit 8b1f39a727
3 changed files with 8 additions and 2 deletions
--- a/django/conf/project_template/project_name/settings.py
+++ b/django/conf/project_template/project_name/settings.py
@ -40,6 +40,7 @@ INSTALLED_APPS = [
 ]

 MIDDLEWARE_CLASSES = [
+    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
@ -47,7 +48,6 @@ MIDDLEWARE_CLASSES = [
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'django.middleware.security.SecurityMiddleware',
 ]

 ROOT_URLCONF = '{{ project_name }}.urls'
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@ -411,6 +411,12 @@ Middleware ordering

 Here are some hints about the ordering of various Django middleware classes:

+#. :class:`~django.middleware.security.SecurityMiddleware`
+
+   It should go near the top of the list if you're going to turn on the SSL
+   redirect as that avoids running through a bunch of other unnecessary
+   middleware.
+
 #. :class:`~django.middleware.cache.UpdateCacheMiddleware`

   Before those that modify the ``Vary`` header (``SessionMiddleware``,
--- a/docs/topics/http/middleware.txt
+++ b/docs/topics/http/middleware.txt
@ -28,6 +28,7 @@ here's the default value created by :djadmin:`django-admin startproject
 <startproject>`::

    MIDDLEWARE_CLASSES = [
+        'django.middleware.security.SecurityMiddleware',
        'django.contrib.sessions.middleware.SessionMiddleware',
        'django.middleware.common.CommonMiddleware',
        'django.middleware.csrf.CsrfViewMiddleware',
@ -35,7 +36,6 @@ here's the default value created by :djadmin:`django-admin startproject
        'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
        'django.contrib.messages.middleware.MessageMiddleware',
        'django.middleware.clickjacking.XFrameOptionsMiddleware',
-        'django.middleware.security.SecurityMiddleware',
    ]

 A Django installation doesn't require any middleware —