diff options
author | Jelle van der Waa <jelle@vdwaa.nl> | 2019-01-28 21:28:24 +0100 |
---|---|---|
committer | Jelle van der Waa <jelle@vdwaa.nl> | 2019-01-28 21:28:24 +0100 |
commit | 5895b2a2216d6b3a6103dc5f90e8d26bd29791df (patch) | |
tree | 465abd1d618ed4e9ef73355ebc8b811f1446be00 | |
parent | e8e80f357f52571c3c3ba587c446fc6da970f2cc (diff) | |
download | archweb-release_2019-02-04.tar.gz archweb-release_2019-02-04.zip |
Set two more security headersrelease_2019-02-04
Enable X-Content-Type-Options to prevent a browser from sniffing the
MIME type if the content type is not set. Enable cross site filter
protection supported by most browsers.
-rw-r--r-- | settings.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/settings.py b/settings.py index a414aded..f5b282c2 100644 --- a/settings.py +++ b/settings.py @@ -51,6 +51,7 @@ MIDDLEWARE = ( 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', + 'django.middleware.security.SecurityMiddleware', 'django.middleware.http.ConditionalGetMiddleware', ) @@ -81,6 +82,12 @@ SESSION_COOKIE_HTTPONLY = True # Clickjacking protection X_FRAME_OPTIONS = 'DENY' +# X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type +SECURE_CONTENT_TYPE_NOSNIFF = True + +# X-XSS-Protection, enables cross-site scripting filter in most browsers +SECURE_BROWSER_XSS_FILTER = True + # Use new test runner TEST_RUNNER = 'django.test.runner.DiscoverRunner' |