RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO SHIPS CSP NONCE TAG AND FIXES ASGI AUTHENTICATION REGRESSION

By RepoJournal · Filed · About Django

Django merged three security and authentication fixes overnight that close gaps in ASGI middleware behavior and add a critical content security policy helper.

The headliner is a new `{% csp_nonce_attr %}` template tag [1] that handles CSP nonce injection explicitly — a cleaner pattern than the old workarounds for securing inline scripts and stylesheets. This ships alongside two authentication fixes that matter more than they first appear: Django 5.2 introduced a regression where RemoteUserMiddleware behaved differently under ASGI than WSGI [2] [3], forcing proxy operators to rewrite headers in incompatible ways. That's fixed now. The team also clarified the security posture of RemoteUserMiddleware itself , tightening documentation around header spoofing risks. A fourth commit [4] stages test infrastructure for incoming email provider integrations, suggesting a larger feature is landing in the next cycle. All four are cherry-picks or targeted fixes — no breaking changes, all backport candidates.

Action items

References

  1. [1] Fixed #36784 -- Added csp_nonce_attr template tag for CSP nonce inclusion. ↗ django/django
  2. [2] Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header corresponds to request.META under ASGI. django/django
  3. [3] Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header corresponds to request.META under ASGI. ↗ django/django
  4. [4] Refs #35514 -- Prepared for email providers. ↗ django/django

FAQ

What changed in Django on May 7, 2026?
Django merged three security and authentication fixes overnight that close gaps in ASGI middleware behavior and add a critical content security policy helper.
What should Django teams do about it?
Review RemoteUserMiddleware configuration if running ASGI in production — verify header names match documented format • Adopt {% csp_nonce_attr %} in templates using inline scripts — removes need for manual context injection • Watch djangoproject.com for playwright test suite rollout — regression tests are failing as expected
Which Django repositories shipped on May 7, 2026?
django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.