MCPcopy
hub / github.com/django/django / SecurityMiddleware

Class SecurityMiddleware

django/middleware/security.py:8–66  ·  view source on GitHub ↗

Source from the content-addressed store, hash-verified

6
7
8class SecurityMiddleware(MiddlewareMixin):
9 def __init__(self, get_response):
10 super().__init__(get_response)
11 self.sts_seconds = settings.SECURE_HSTS_SECONDS
12 self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS
13 self.sts_preload = settings.SECURE_HSTS_PRELOAD
14 self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF
15 self.redirect = settings.SECURE_SSL_REDIRECT
16 self.redirect_host = settings.SECURE_SSL_HOST
17 self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
18 self.referrer_policy = settings.SECURE_REFERRER_POLICY
19 self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
20
21 def process_request(self, request):
22 path = request.path.lstrip("/")
23 if (
24 self.redirect
25 and not request.is_secure()
26 and not any(pattern.search(path) for pattern in self.redirect_exempt)
27 ):
28 host = self.redirect_host or request.get_host()
29 return HttpResponsePermanentRedirect(
30 "https://%s%s" % (host, request.get_full_path())
31 )
32
33 def process_response(self, request, response):
34 if (
35 self.sts_seconds
36 and request.is_secure()
37 and "Strict-Transport-Security" not in response
38 ):
39 sts_header = "max-age=%s" % self.sts_seconds
40 if self.sts_include_subdomains:
41 sts_header += "; includeSubDomains"
42 if self.sts_preload:
43 sts_header += "; preload"
44 response.headers["Strict-Transport-Security"] = sts_header
45
46 if self.content_type_nosniff:
47 response.headers.setdefault("X-Content-Type-Options", "nosniff")
48
49 if self.referrer_policy:
50 # Support a comma-separated string or iterable of values to allow
51 # fallback.
52 response.headers.setdefault(
53 "Referrer-Policy",
54 ",".join(
55 [v.strip() for v in self.referrer_policy.split(",")]
56 if isinstance(self.referrer_policy, str)
57 else self.referrer_policy
58 ),
59 )
60
61 if self.cross_origin_opener_policy:
62 response.setdefault(
63 "Cross-Origin-Opener-Policy",
64 self.cross_origin_opener_policy,
65 )

Callers 1

middlewareMethod · 0.90

Calls

no outgoing calls

Tested by 1

middlewareMethod · 0.72