Set two more security headers

Enable X-Content-Type-Options to prevent a browser from sniffing the MIME type if the content type is not set. Enable cross site filter protection supported by most browsers.

Set two more security headers
Enable X-Content-Type-Options to prevent a browser from sniffing the MIME type if the content type is not set. Enable cross site filter protection supported by most browsers.
5895b2a2 · Jelle van der Waa · e8e80f35 · 5895b2a2
Verified Commit 5895b2a2 authored Jan 28, 2019 by Jelle van der Waa 🚧
--- a/settings.py
+++ b/settings.py
@@ -51,6 +51,7 @@
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
    'django.middleware.http.ConditionalGetMiddleware',
 )

@@ -81,6 +82,12 @@
 # Clickjacking protection
 X_FRAME_OPTIONS = 'DENY'

+# X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
+# X-XSS-Protection, enables cross-site scripting filter in most browsers
+SECURE_BROWSER_XSS_FILTER = True
+
 # Use new test runner
 TEST_RUNNER = 'django.test.runner.DiscoverRunner'