Django 6.0 release notes - UNDER DEVELOPMENT¶

Content Security Policy support¶

Built-in support for the Content Security Policy (CSP) standard is now available, making it easier to protect web applications against content injection attacks such as cross-site scripting (XSS). CSP allows declaring trusted sources of content by giving browsers strict rules about which scripts, styles, images, or other resources can be loaded.

CSP policies can now be enforced or monitored directly using built-in tools: headers are added via the ContentSecurityPolicyMiddleware, nonces are supported through the csp() context processor, and policies are configured using the SECURE_CSP and SECURE_CSP_REPORT_ONLY settings.

These settings accept Python dictionaries and support Django-provided constants for clarity and safety. For example:

from django.utils.csp import CSP

SECURE_CSP = {
    "default-src": [CSP.SELF],
    "script-src": [CSP.SELF, CSP.NONCE],
    "img-src": [CSP.SELF, "https:"],
}

The resulting Content-Security-Policy header would be set to:

default-src 'self'; script-src 'self' 'nonce-SECRET'; img-src 'self' https:

To get started, follow the CSP how-to guide. For in-depth guidance, see the CSP security overview and the reference docs, which include details about decorators to override or disable policies on a per-view basis.

Template Partials¶

The Django Template Language now supports template partials, making it easier to encapsulate and reuse small named fragments within a template file. The new tags {% partialdef %} and {% partial %} define a partial and render it, respectively.

Partials can also be referenced using the template_name#partial_name syntax with get_template(), render(), {% include %}, and other template-loading tools, enabling more modular and maintainable templates without needing to split components into separate files.

A migration guide is available if you’re updating from the django-template-partials third-party package.

Background Tasks¶

Django now includes a built-in Tasks framework for running code outside the HTTP request–response cycle. This enables offloading work, such as sending emails or processing data, to background workers.

Tasks are defined using the task() decorator:

from django.core.mail import send_mail
from django.tasks import task


@task
def email_users(emails, subject, message):
    return send_mail(subject, message, None, emails)

Once defined, tasks can be enqueued through a configured backend:

email_users.enqueue(
    emails=["user@example.com"],
    subject="You have a message",
    message="Hello there!",
)

Backends are configured via the TASKS setting. The two built-in backends included in this release are primarily intended for development and testing.

Django handles task creation and queuing, but does not provide a worker mechanism to run tasks. Execution must be managed by external infrastructure, such as a separate process or service.

See Django’s Tasks framework for an overview and the Tasks reference for API details.

Adoption of Python’s modern email API¶

Email handling in Django now uses Python’s modern email API, introduced in Python 3.6. This API, centered around the email.message.EmailMessage class, offers a cleaner and Unicode-friendly interface for composing and sending emails. It replaces use of Python’s older legacy (Compat32) API, which relied on lower-level MIME classes (from email.mime) and required more manual handling of message structure and encoding.

Notably, the return type of the EmailMessage.message() method is now an instance of Python’s email.message.EmailMessage. This supports the same API as the previous SafeMIMEText and SafeMIMEMultipart return types, but is not an instance of those now-deprecated classes.

Minor features¶

Database backend API¶

This section describes changes that may be needed in third-party database backends.

• BaseDatabaseSchemaEditor and PostgreSQL backends no longer use CASCADE when dropping a column.

• DatabaseOperations.return_insert_columns() and DatabaseOperations.fetch_returned_insert_rows() methods are renamed to returning_columns() and fetch_returned_rows(), respectively, to denote they can be used in the context of UPDATE … RETURNING statements as well as INSERT … RETURNING.

• The DatabaseOperations.fetch_returned_insert_columns() method is removed and the fetch_returned_rows() method replacing fetch_returned_insert_rows() expects both a cursor and returning_params to be provided, just like fetch_returned_insert_columns() did.

• If the database supports UPDATE … RETURNING statements, backends can set DatabaseFeatures.can_return_rows_from_update=True.

Dropped support for MariaDB 10.5¶

Upstream support for MariaDB 10.5 ends in June 2025. Django 6.0 supports MariaDB 10.6 and higher.

Dropped support for Python < 3.12¶

Because Python 3.12 is now the minimum supported version for Django, any optional dependencies must also meet that requirement. The following versions of each library are the first to add or confirm compatibility with Python 3.12:

• aiosmtpd 1.4.5

• argon2-cffi 23.1.0

• bcrypt 4.1.1

• docutils 0.22

• geoip2 4.8.0

• Pillow 10.1.0

• mysqlclient 2.2.1

• numpy 1.26.0

• PyYAML 6.0.2

• psycopg 3.1.12

• psycopg2 2.9.9

• redis-py 5.1.0

• selenium 4.23.0

• sqlparse 0.5.0

• tblib 3.0.0

Email¶

• The undocumented mixed_subtype and alternative_subtype properties of EmailMessage and EmailMultiAlternatives are no longer supported.

• The undocumented encoding property of EmailMessage no longer supports Python legacy email.charset.Charset objects.

• As the internal implementations of EmailMessage and EmailMultiAlternatives have changed significantly, closely examine any custom subclasses that rely on overriding undocumented, internal underscore methods.

DEFAULT_AUTO_FIELD setting now defaults to BigAutoField¶

Since Django 3.2, when the DEFAULT_AUTO_FIELD setting was added, the default startproject template’s settings.py contained:

DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

and the default startapp template’s AppConfig contained:

default_auto_field = "django.db.models.BigAutoField"

At that time, the default value of DEFAULT_AUTO_FIELD remained django.db.models.AutoField for backwards compatibility.

In Django 6.0, DEFAULT_AUTO_FIELD now defaults to django.db.models.BigAutoField and the aforementioned lines in the project and app templates are removed.

Most projects shouldn’t be affected, since Django 3.2 has raised the system check warning models.W042 for projects that don’t set DEFAULT_AUTO_FIELD.

If you haven’t dealt with this warning by now, add DEFAULT_AUTO_FIELD = 'django.db.models.AutoField' to your project’s settings, or default_auto_field = 'django.db.models.AutoField' to an app’s AppConfig, as needed.

Custom ORM expressions should return params as a tuple¶

Prior to Django 6.0, custom lookups and custom expressions implementing the as_sql() method (and its supporting methods process_lhs() and process_rhs()) were allowed to return a sequence of params in either a list or a tuple. To address the interoperability problems that resulted, the second return element of the as_sql() method should now be a tuple:

def as_sql(self, compiler, connection) -> tuple[str, tuple]: ...

If your custom expressions support multiple versions of Django, you should adjust any pre-processing of parameters to be resilient against either tuples or lists. For instance, prefer unpacking like this:

params = (*lhs_params, *rhs_params)

Miscellaneous¶

• The JSON serializer now writes a newline at the end of the output, even without the indent option set.

• The undocumented django.utils.http.parse_header_parameters() function is refactored to use Python’s email.message.Message for parsing. Input headers exceeding 10000 characters will now raise ValueError.

• Widgets from django.contrib.gis.forms.widgets now render without inline JavaScript in templates. If you have customized any geometry widgets or their templates, you may need to update them to match the new layout.

• Message levels messages.DEBUG and messages.INFO now have distinct icons and CSS styling in the admin. Previously, these used the same icon and styling as the messages.SUCCESS level. Since ModelAdmin.message_user() uses the messages.INFO level by default, set the level to messages.SUCCESS to retain the previous icon and styling.

• The minimum supported version of asgiref is increased from 3.8.1 to 3.9.1.

• The collectstatic command now reports only a summary of skipped files due to conflicts when --verbosity is 1. To see warnings for each conflicting destination path, set the --verbosity flag to 2 or higher.

• The collectstatic --clear command now reports only a summary of deleted files when --verbosity is 1. To see the details for each file deleted, set the --verbosity flag to 2 or higher.

Positional arguments in django.core.mail APIs¶

django.core.mail APIs now require keyword arguments for less commonly used parameters. Using positional arguments for these now emits a deprecation warning and will raise a TypeError when the deprecation period ends:

• All optional parameters (fail_silently and later) must be passed as keyword arguments to get_connection(), mail_admins(), mail_managers(), send_mail(), and send_mass_mail().

• All parameters must be passed as keyword arguments when creating an EmailMessage or EmailMultiAlternatives instance, except for the first four (subject, body, from_email, and to), which may still be passed either as positional or keyword arguments.

Miscellaneous¶

• BaseDatabaseCreation.create_test_db(serialize) is deprecated. Use serialize_db_to_string() instead.

• The PostgreSQL StringAgg class is deprecated in favor of the generally available StringAgg class.

• The PostgreSQL OrderableAggMixin is deprecated in favor of the order_by attribute now available on the Aggregate class.

• The default protocol in urlize and urlizetrunc will change from HTTP to HTTPS in Django 7.0. Set the transitional setting URLIZE_ASSUME_HTTPS to True to opt into assuming HTTPS during the Django 6.x release cycle.

• URLIZE_ASSUME_HTTPS transitional setting is deprecated.

• Setting ADMINS or MANAGERS to a list of (name, address) tuples is deprecated. Set to a list of email address strings instead. Django never used the name portion. To include a name, format the address string as '"Name" <address>' or use Python’s email.utils.formataddr().

• Support for the orphans argument being larger than or equal to the per_page argument of django.core.paginator.Paginator and django.core.paginator.AsyncPaginator is deprecated.

• Using a percent sign in a column alias or annotation is deprecated.

• Support for passing Python’s legacy email MIMEBase object to EmailMessage.attach() (or including one in the message’s attachments list) is deprecated. For complex attachments requiring additional headers or parameters, switch to the modern email API’s MIMEPart.

• The django.core.mail.BadHeaderError exception is deprecated. Python’s modern email raises a ValueError for email headers containing prohibited characters.

• The django.core.mail.SafeMIMEText and SafeMIMEMultipart classes are deprecated.

• The undocumented django.core.mail.forbid_multi_line_headers() and django.core.mail.message.sanitize_address() functions are deprecated.