Security settings

Hello there. I don’t know if this topic or here is the appropriate local to ask about DRF. If not, I’m sorry.

I set Django security rules in my project, like SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and X_FRAME_OPTIONS but how can I guarantee if these settings affect my API with DRF? I need to set some specific or additional configurations or these parameters work only with the Django template?


Keep in mind that DRF is Django - it’s an add-on package running within the context of your Django environment. It supplements functionality, it doesn’t remove or prevent anything else from working.

With that in mind, let’s look at a one of the settings you’ve listed:

SECURE_CONTENT_TYPE_NOSNIFF - the docs show that if this setting is made and you have the security middleware enabled, it’s going to include the nosniff header in the response.

This header then should be included regardless of which app (DRF or a user-written app) is generating the response.

You can verify this in your browser by going to your API URL and looking at the developer tools to see what headers are included in the response.

1 Like