summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJelle van der Waa <jelle@vdwaa.nl>2019-01-28 21:28:24 +0100
committerJelle van der Waa <jelle@vdwaa.nl>2019-01-28 21:28:24 +0100
commit5895b2a2216d6b3a6103dc5f90e8d26bd29791df (patch)
tree465abd1d618ed4e9ef73355ebc8b811f1446be00
parente8e80f357f52571c3c3ba587c446fc6da970f2cc (diff)
downloadarchweb-5895b2a2216d6b3a6103dc5f90e8d26bd29791df.tar.gz
archweb-5895b2a2216d6b3a6103dc5f90e8d26bd29791df.zip
Set two more security headersrelease_2019-02-04
Enable X-Content-Type-Options to prevent a browser from sniffing the MIME type if the content type is not set. Enable cross site filter protection supported by most browsers.
-rw-r--r--settings.py7
1 files changed, 7 insertions, 0 deletions
diff --git a/settings.py b/settings.py
index a414aded..f5b282c2 100644
--- a/settings.py
+++ b/settings.py
@@ -51,6 +51,7 @@ MIDDLEWARE = (
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
+ 'django.middleware.security.SecurityMiddleware',
'django.middleware.http.ConditionalGetMiddleware',
)
@@ -81,6 +82,12 @@ SESSION_COOKIE_HTTPONLY = True
# Clickjacking protection
X_FRAME_OPTIONS = 'DENY'
+# X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
+# X-XSS-Protection, enables cross-site scripting filter in most browsers
+SECURE_BROWSER_XSS_FILTER = True
+
# Use new test runner
TEST_RUNNER = 'django.test.runner.DiscoverRunner'