Permalink
Browse files

Additional content-type-options-nosniff test, doc and message tweaks.

  • Loading branch information...
1 parent 6443ee5 commit 934dd909689c42f594ce59a4b383119835e43ea3 @carljm committed Sep 23, 2011
Showing with 30 additions and 15 deletions.
  1. +2 −2 CHANGES.rst
  2. +2 −2 djangosecure/check/djangosecure.py
  3. +16 −1 djangosecure/tests.py
  4. +10 −10 doc/middleware.rst
View
@@ -4,11 +4,11 @@ CHANGES
tip (unreleased)
----------------
+* Added the ``X-Content-Type-Options: nosniff`` header. Thanks Johannas Heller.
+
* ``SECURE_PROXY_SSL_HEADER`` setting now patches ``request.is_secure()`` so it
respects proxied SSL, to avoid redirects to http that should be to https.
-* Added the ``X-Content-Type-Options: nosniff`` header.
-
0.1.0 (2011.05.29)
------------------
@@ -14,8 +14,8 @@ def check_security_middleware():
"SECURITY_MIDDLEWARE_NOT_INSTALLED": (
"You do not have 'djangosecure.middleware.SecurityMiddleware' "
"in your MIDDLEWARE_CLASSES, so the SECURE_HSTS_SECONDS, "
- "SECURE_FRAME_DENY, and SECURE_SSL_REDIRECT settings "
- "will have no effect.")
+ "SECURE_FRAME_DENY, SECURE_CONTENT_TYPE_NOSNIFF, and "
+ "SECURE_SSL_REDIRECT settings will have no effect.")
}
View
@@ -136,13 +136,14 @@ def test_sts_only_if_secure(self):
@override_settings(SECURE_HSTS_SECONDS=0)
def test_sts_off(self):
"""
- With SECURE_HSTS_SECONDS of 0, the middleware does not add an
+ With SECURE_HSTS_SECONDS of 0, the middleware does not add a
"strict-transport-security" header to the response.
"""
self.assertFalse(
"strict-transport-security" in self.process_response(secure=True))
+
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_on(self):
"""
@@ -154,6 +155,20 @@ def test_content_type_on(self):
self.process_response()["x-content-type-options"],
"nosniff")
+
+ @override_settings(SECURE_CONTENT_TYPE_NO_SNIFF=True)
+ def test_content_type_already_present(self):
+ """
+ The middleware will not override an "x-content-type-options" header
+ already present in the response.
+
+ """
+ response = self.process_response(
+ secure=True,
+ headers={"x-content-type-options": "foo"})
+ self.assertEqual(response["x-content-type-options"], "foo")
+
+
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=False)
def test_content_type_off(self):
"""
View
@@ -77,21 +77,21 @@ X-Content-Type-Options: nosniff
Some browsers will try to guess the content types of the assets that they
fetch, overriding the ``Content-Type`` header. While this can help display
-sites with improperly configured servers, it can also pose as a security
-concern.
+sites with improperly configured servers, it can also pose a security
+risk.
-If your site serves user uploaded files, a malicious user could upload a
-specially crafted file that would be interpreted as HTML or Javascript by
-the browser when you where expected it to be something harmless.
+If your site serves user-uploaded files, a malicious user could upload a
+specially-crafted file that would be interpreted as HTML or Javascript by
+the browser when you expected it to be something harmless.
To learn more about this header and how the browser treats it, you can
read about it on the `IE Security Blog`_.
-To prevent the browser from guessing the content type, and always using
-the type provided in the ``Content-Type`` header, you can pass the
-``X-Content-Type-Options: nosniff`` header. This is what the
-``SecurityMiddleware`` will do for all responses if the
-:ref:`SECURE_CONTENT_TYPE_NOSNIFF` setting is ``True``.
+To prevent the browser from guessing the content type, and force it to
+always use the type provided in the ``Content-Type`` header, you can pass
+the ``X-Content-Type-Options: nosniff`` header. ``SecurityMiddleware`` will
+do this for all responses if the :ref:`SECURE_CONTENT_TYPE_NOSNIFF` setting
+is ``True``.
.. _IE Security Blog: http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

0 comments on commit 934dd90

Please sign in to comment.