Django Security middleware

Django Security middleware

What is middleware?

Middleware is a program that acts as a bridge between two services/programs. Middleware should be like a plugin in any Framework.

Middleware in  Django

Middleware is a framework of hooks into Django’s request/response processing.

Django supports both Custom and Built-in Middleware.

This blog is limited to discussion on SecurityMiddleware

SecurityMiddleware is a class of Django Middleware
The provides several security enhancements to the request/response cycle.

The following list of settings can be set or updated in Django Settings

  • SECURE_REFERRER_POLICY = "same-origin"

Let's Discuss each of the settings in more detail.


The header X-Content-Type-Options is used in requests by a web server to protect you from MIME-type vulnerabilities. It implies only using provided content types and not guessing them.

  • Default - True
  • When set to True, it will set the header X-Content-Type-Options: nosniff.
  • It should be set as many browsers try to assume the Content-type header and override the existing set value.
  • This prevents the client from "sniffing" the asset to try and determine if the file type is something other than what is declared by the server.


This setting sets the header Cross-Origin-Opener-Policy. This option will help you to determine what access the top-level document has over the cross-origin document. when this option is set, documents do not share the same environment as cross-origin documents.

  • Default - "same-origin"

Allowed Options


  • Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context. This is the default and most secure option.


  • Isolates the browsing context to same-origin documents or those which either don’t set COOP or which opt out of isolation by setting a COOP of unsafe-none.


  • Allows the document to be added to its opener’s browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.


This setting sets the header Strict-Transport-Security . HTTP Strict Transport Security (HSTS) is set to tell web browsers

  1. that communication should always be over TLS/SSL, so it transfers links from http to https
  2. In case of any certificate validation issues, the connection should be terminated.
  • Default - 0 i.e do not set Strict-Transport-Security header
  • To enable it, we have to set it to a non-integer value
  • The recommended time is 1 year to ensure security for max duration
  • Syntax: Strict-Transport-Security: max-age=<expiry-time>;
Note: The first request is not protected, if first session is hijack, attacker can successfully conduct attack on initial connection


This setting appends includeSubDomains to Strict-Transport-Security header. It enforces HSTS Policy(explained above) to all the subdomains

  • Default - False
  • To enable it, it should be set to True
  • Example: Strict-Transport-Security: max-age=; includeSubDomains


Setting max-age in the HSTS header does not make it 100% secure as the first request is unprotected. HSTS provides a setting option of preload where you can submit your domain to which adds your domain to preload list managed by Google.
Once approved, your domain will have an HSTS header even before visiting for the first time.

  • Default - False i,e no preload option is set
  • If set to true, It will update the header Strict-Transport-Security by adding the parameter preload
  • Example: Strict-Transport-Security: max-age=; includeSubDomains; preload
  • When using preload, the max-age directive must be at least 31536000 (1 year), and the includeSubDomains directive must be present.


  • Default - []
  • Prerequisite - SECURE_SSL_REDIRECT should be True
  • If a URL path matches a regular expression in this list, the request will not be redirected to HTTPS. The SecurityMiddleware strips leading slashes from URL paths, so patterns shouldn’t include them, e.g. SECURE_REDIRECT_EXEMPT = [r'^no-ssl/$', …]


  • Default - "same-origin"
  • It will set header Referrer-Policy

Allowed Values


  • Instructs the browser to send no referrer for links clicked on this site.


  • Instructs the browser to send a full URL as the referrer, but only when no protocol downgrade occurs.


  • Instructs the browser to send only the origin, not the full URL, as the referrer.


  • Instructs the browser to send the full URL as the referrer for same-origin links, and only the origin for cross-origin links.


  • Instructs the browser to send a full URL, but only for same-origin links. No referrer will be sent for cross-origin links.


  • Instructs the browser to send only the origin, not the full URL, and to send no referrer when a protocol downgrade occurs.


  • Instructs the browser to send the full URL when the link is same-origin and no protocol downgrade occurs; send only the origin when the link is cross-origin and no protocol downgrade occurs; and no referrer when a protocol downgrade occurs.


  • Instructs the browser to always send the full URL as the referrer.


  • Default - None
  • Prerequisite - SECURE_SSL_REDIRECT should be True
  • If value is set, all the requests will be forwarded to this host other than host present in original request.


  • Default - False
  • If this is set to true, all the non-HTTP requests will be transferred to HTTPS requests.
  • Exception: It will bypass URLs present in SECURE_REDIRECT_EXEMPT.

Happy Coding!