From 5895b2a2216d6b3a6103dc5f90e8d26bd29791df Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@vdwaa.nl>
Date: Mon, 28 Jan 2019 21:28:24 +0100
Subject: Set two more security headers

Enable X-Content-Type-Options to prevent a browser from sniffing the
MIME type if the content type is not set. Enable cross site filter
protection supported by most browsers.
---
 settings.py | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'settings.py')

diff --git a/settings.py b/settings.py
index a414aded..f5b282c2 100644
--- a/settings.py
+++ b/settings.py
@@ -51,6 +51,7 @@ MIDDLEWARE = (
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
     'django.middleware.http.ConditionalGetMiddleware',
 )
 
@@ -81,6 +82,12 @@ SESSION_COOKIE_HTTPONLY = True
 # Clickjacking protection
 X_FRAME_OPTIONS = 'DENY'
 
+# X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
+# X-XSS-Protection, enables cross-site scripting filter in most browsers
+SECURE_BROWSER_XSS_FILTER = True
+
 # Use new test runner
 TEST_RUNNER = 'django.test.runner.DiscoverRunner'
 
-- 
cgit v1.2.3-55-g3dc8