Set two more security headers
Enable X-Content-Type-Options to prevent a browser from sniffing the MIME type if the content type is not set. Enable cross site filter protection supported by most browsers.
This commit is contained in:
parent
e8e80f357f
commit
5895b2a221
@ -51,6 +51,7 @@
|
||||
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
||||
'django.contrib.messages.middleware.MessageMiddleware',
|
||||
'django.middleware.clickjacking.XFrameOptionsMiddleware',
|
||||
'django.middleware.security.SecurityMiddleware',
|
||||
'django.middleware.http.ConditionalGetMiddleware',
|
||||
)
|
||||
|
||||
@ -81,6 +82,12 @@
|
||||
# Clickjacking protection
|
||||
X_FRAME_OPTIONS = 'DENY'
|
||||
|
||||
# X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type
|
||||
SECURE_CONTENT_TYPE_NOSNIFF = True
|
||||
|
||||
# X-XSS-Protection, enables cross-site scripting filter in most browsers
|
||||
SECURE_BROWSER_XSS_FILTER = True
|
||||
|
||||
# Use new test runner
|
||||
TEST_RUNNER = 'django.test.runner.DiscoverRunner'
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user