Default settings¶
Django settings¶
CSRF_COOKIE_NAME¶
Default: __Host-csrftoken
Tip
See the Mozilla Http Observatory recommendations regarding cookies.
CSRF_COOKIE_SAMESITE¶
Default: Lax
Note
This setting is available in Django 2.2 or through the django-cookie-samesite package in Django 1.11.
SECURE_BROWSER_XSS_FILTER¶
Default: True
SECURE_CONTENT_TYPE_NOSNIFF¶
Default: True
SECURE_HSTS_INCLUDE_SUBDOMAINS¶
Default: True
Warning
Activating HSTS may irreversibly break your site (for SECURE_HSTS_SECONDS) if improperly configured. Review Django’s advice regarding HSTS first!
SECURE_HSTS_PRELOAD¶
Default: True
Warning
Activating HSTS may irreversibly break your site (for SECURE_HSTS_SECONDS) if improperly configured. Review Django’s advice regarding HSTS first!
SECURE_HSTS_SECONDS¶
Default: 183 * 24 * 60 * 60
Warning
Activating HSTS may irreversibly break your site (for SECURE_HSTS_SECONDS) if improperly configured. Review Django’s advice regarding HSTS first!
SESSION_COOKIE_SAMESITE¶
Default: Lax
Note
This setting is available in Django 2.2 or through django-cookie-samesite package in Django 1.11.
Django-CSP settings¶
See the django-csp docs for full details.
CSP_BASE_URI¶
Default: ["'none'"]
CSP_DEFAULT_SRC¶
Default: ["'self'"]
CSP_FONT_SRC¶
Default: ["'self'"]
CSP_FORM_ACTION¶
Default: ["'self'"]
CSP_FRAME_ANCESTORS¶
Default: ["'none'"]
CSP_FRAME_SRC¶
Default: ["*"]
CSP_IMG_SRC¶
Default: ["*", "data:"]
CSP_MEDIA_SRC¶
Default: ["*", "data:"]
CSP_SCRIPT_SRC¶
Default: ["'self'"]
CSP_STYLE_SRC¶
Default: ["'self'"]
CSP_INCLUDE_NONCE_IN¶
Default: ["script-src", "style-src"]
CSP_UPGRADE_INSECURE_REQUESTS¶
Default: True
CSP_BLOCK_ALL_MIXED_CONTENT¶
Default: True
CSP_REPORT_PERCENTAGE¶
Default: 0.1
Middleware settings¶
REFERRER_POLICY¶
Default: same-origin
Tip
See the Mozilla Http Observatory recommendations regarding the referrer-policy as well as Scott Helme’s discussion.
FEATURE_POLICY¶
Default:
[
"autoplay 'none'",
"camera 'none'",
"display-capture 'none'",
"document-domain 'none'",
"encrypted-media 'none'",
"fullscreen *",
"geolocation 'none'",
"microphone 'none'",
"midi 'none'",
"payment 'none'",
"vr *",
]
Tip
See Scott Helme’s discussion on the new feature policy header.
FRAMING_ALLOWED_FROM¶
Default: deny
Safe domains for X-FRAME-OPTIONS can be specified two ways:
- Through the admin interface, or
- In
settings.pyby assigning a list toFRAMING_ALLOWED_FROM. This list supersedes any database entries: if this list is set, domains entered through admin are ignored. To allow all domains, setFRAMING_ALLOWED_FROM = ["*"]