SecurityMiddleware
This class provides several security enhancements to the request/response cycle by enforcing SSL redirects and managing critical security headers. It handles the configuration of HTTP Strict Transport Security (HSTS), Content-Type sniffing protections, Referrer Policy, and Cross-Origin Opener Policy based on application settings. Additionally, it can redirect non-secure HTTP requests to HTTPS for all non-exempt URL paths.
Attributes
| Attribute | Type | Description |
|---|---|---|
| sts_seconds | integer | The number of seconds for the HTTP Strict Transport Security max-age header, used to instruct browsers to only access the site via HTTPS. |
| sts_include_subdomains | boolean | A boolean flag that, when enabled, adds the includeSubDomains directive to the Strict-Transport-Security header to apply the policy to all subdomains. |
| sts_preload | boolean | A boolean flag that adds the preload directive to the Strict-Transport-Security header, allowing the site to be included in browser HSTS preload lists. |
| content_type_nosniff | boolean | A boolean flag that determines whether to set the X-Content-Type-Options: nosniff header to prevent browsers from MIME-sniffing the response. |
| redirect | boolean | A boolean flag indicating whether to redirect all non-HTTPS requests to HTTPS. |
| redirect_host | string | The specific hostname to use for SSL redirects, defaulting to the request's host if not provided. |
| redirect_exempt | list of regex patterns | A list of compiled regular expression patterns representing URL paths that should be excluded from the SSL redirect logic. |
| referrer_policy | string or iterable | A string or iterable defining the Referrer-Policy header value to control how much referrer information is included with requests. |
| cross_origin_opener_policy | string | The value for the Cross-Origin-Opener-Policy header used to isolate the top-level browsing context from other documents. |
Constructor
Signature
def SecurityMiddleware(
get_response: callable
) - > null
Parameters
| Name | Type | Description |
|---|---|---|
| get_response | callable | The next middleware or view in the request/response chain. |
Methods
process_request()
@classmethod
def process_request(
request: [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest)
) - > HttpResponsePermanentRedirect | null
Redirects non-secure HTTP requests to HTTPS if the redirect setting is enabled and the request path is not explicitly exempted.
Parameters
| Name | Type | Description |
|---|---|---|
| request | [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest) | The incoming Django request object used to check security status and path exemption. |
Returns
| Type | Description |
|---|---|
| `HttpResponsePermanentRedirect | null` |
process_response()
@classmethod
def process_response(
request: [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest),
response: [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse)
) - > [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse)
Applies security-related HTTP headers to the outgoing response, including HSTS, X-Content-Type-Options, Referrer-Policy, and Cross-Origin-Opener-Policy.
Parameters
| Name | Type | Description |
|---|---|---|
| request | [HttpRequest](../../http/request/httprequest.md?sid=django_http_request_httprequest) | The original request object used to verify if the connection is secure for HSTS application. |
| response | [HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse) | The outgoing response object that will receive the security header configurations. |
Returns
| Type | Description |
|---|---|
[HttpResponse](../../http/response/httpresponse.md?sid=django_http_response_httpresponse) | The modified response object containing the newly injected security headers. |