fix: default insecure configuration for silk ui

[johnny-official]

Problem

The django-silk profiling and inspection UI is unauthenticated and unauthorized by default (SILKY_AUTHENTICATION and SILKY_AUTHORISATION are False). This means that if django-silk is deployed to a production environment without explicitly configuring these settings, anyone with network access to the /silk/ URL can view sensitive application data, including request/response bodies, headers, query parameters, database queries, and potentially full Python profiles. This exposes internal application details, which can aid attackers in understanding the system and finding further vulnerabilities.

Changes

In silk/config.py, change the default values:

Modified files:

• silk/config.py (modified)

---

Tested by running the project's existing test suite. No unrelated changes included.

Closes #860

[Copilot]

Pull request overview

This PR addresses an insecure default in django-silk by enabling authentication and authorization for the Silk UI by default, reducing the risk of exposing profiling data when deployed without explicit configuration.

Changes:

• Set SILKY_AUTHENTICATION default to True
• Set SILKY_AUTHORISATION default to True

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing the defaults to enable authentication/authorisation will cause Silk to require Django session/auth/message middleware by default (SilkyMiddleware raises SilkNotConfigured if none are present). This is a behavioral breaking change for projects with a minimal middleware stack (e.g., API-only) that previously could use Silk without adding those middlewares; consider either (a) making the new secure defaults conditional (e.g., only when DEBUG=False), or (b) explicitly documenting/validating the required middleware stack when these defaults are on (ideally requiring at least SessionMiddleware + AuthenticationMiddleware).

[Copilot]

This change flips Silk's default access model, but the README currently states that “By default anybody can access the Silk user interface” and instructs users to enable SILKY_AUTHENTICATION/SILKY_AUTHORISATION manually (README.md around the Authentication/Authorisation section). Please update the documentation/release notes to reflect the new defaults and provide guidance for opting out (setting these to False) for local/dev use.

[albertyw]

This is a breaking change and will need several steps to change (fixing tests, warnings to users, updates to documentation, a major version bump, etc) if we want to change it. The documentation also states that auth should be enabled if in production environments. This config should arguably stay as is.