Subscribe

Django 6.0 release notes | Django documentation

Startups

Published on:

Content Security Policy support¶

Built-in support for the Content Security Policy (CSP)
standard is now available, making it easier to protect web applications against
content injection attacks such as cross-site scripting (XSS). CSP allows
declaring trusted sources of content by giving browsers strict rules about
which scripts, styles, images, or other resources can be loaded.

CSP policies can now be enforced or monitored directly using built-in tools:
headers are added via the
ContentSecurityPolicyMiddleware, nonces are
supported through the csp() context
processor, and policies are configured using the SECURE_CSP and
SECURE_CSP_REPORT_ONLY settings.

These settings accept Python dictionaries and support Django-provided constants
for clarity and safety. For example:

from django.utils.csp import CSP

SECURE_CSP = {
    "default-src": [CSP.SELF],
    "script-src": [CSP.SELF, CSP.NONCE],
    "img-src": [CSP.SELF, "https:"],
}

The resulting Content-Security-Policy header would be set to:

default-src 'self'; script-src 'self' 'nonce-SECRET'; img-src 'self' https:

To get started, follow the CSP how-to guide. For in-depth
guidance, see the CSP security overview and the
reference docs, which include details about decorators to
override or disable policies on a per-view basis.

Background Tasks¶

Django now includes a built-in Tasks framework for running code outside the
HTTP request–response cycle. This enables offloading work, such as sending
emails or processing data, to background workers.

The framework provides task definition, validation, queuing, and result
handling. Django guarantees consistent behavior for creating and managing
tasks, while the responsibility for running them continues to belong to
external worker processes.

Tasks are defined using the task() decorator:

from django.core.mail import send_mail
from django.tasks import task


@task
def email_users(emails, subject, message):
    return send_mail(subject, message, None, emails)

Once defined, tasks can be enqueued through a configured backend:

email_users.enqueue(
    emails=["user@example.com"],
    subject="You have a message",
    message="Hello there!",
)

Backends are configured via the TASKS setting. The two
built-in backends included in this release are
primarily intended for development and testing.

Django handles task creation and queuing, but does not provide a worker
mechanism to run tasks. Execution must be managed by external infrastructure,
such as a separate process or service.

See Django’s Tasks framework for an overview and the Tasks reference for API details.

Adoption of Python’s modern email API¶

Email handling in Django now uses Python’s modern email API, introduced in
Python 3.6. This API, centered around the
email.message.EmailMessage class, offers a cleaner and
Unicode-friendly interface for composing and sending emails. It replaces use of
Python’s older legacy (Compat32) API, which relied on lower-level MIME
classes (from email.mime) and required more manual handling of
message structure and encoding.

Notably, the return type of the EmailMessage.message() method is now an instance of Python’s
email.message.EmailMessage. This supports the same API as the
previous SafeMIMEText and SafeMIMEMultipart return types, but is not an
instance of those now-deprecated classes.

Source link

Related

  • Phone: (855) 998-8020
  • Email: support@nus24.com
  • Address: 657 Parkridge Blvd, Burleson, TX 76028

© 2025 nus24.com