Latest version: v4.0.0

PyUp actively tracks 462,232 Python packages for vulnerabilities to keep your Python environments secure.

Scan your dependencies

Page 1 of 9



* Add ``CORS_ALLOW_PRIVATE_NETWORK_ACCESS`` setting, which enables support for the Local Network Access draft specification.

Thanks to Issac Kelly in `PR 745 <>`__ and jjurgens0 in `PR #833 <>`__.

* Remove three headers from the default "accept list": ``accept-encoding``, ``dnt``, and ``origin``.
These are `Forbidden header names <>`__, which means requests JavaScript can never set them.
Consequently, allowing them via CORS has no effect.

Thanks to jub0bs for the report in `Issue 842 <>`__.

* Drop the ``CORS_REPLACE_HTTPS_REFERER`` setting and ``CorsPostCsrfMiddleware``.
Since Django 1.9, the ``CSRF_TRUSTED_ORIGINS`` setting has been the preferred solution to making CSRF checks pass for CORS requests.
The removed setting and middleware only existed as a workaround for Django versions before 1.9.

* Add async support to the middleware, reducing overhead on async views.



* Support Django 4.2.

* Switch from ``urlparse()`` to ``urlsplit()`` for URL parsing, reducing the middleware runtime up to 5%.
This changes the type passed to ``origin_found_in_white_lists()``, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).

Thanks to Thibaut Decombe in `PR 793 <>`__.



* Support Python 3.11.

* Support Django 4.1.



* Drop support for Django 2.2, 3.0, and 3.1.



* Drop Python 3.6 support.



* Prevent a crash when an invalid ``Origin`` header is sent.

Thanks to minusf for the report in `Issue 701 <>`__.

Page 1 of 9