== Why is this an issue?

By default, only dictionary objects can be serialized in Django JSON-encoded response. Before ECMASCript 5, serializing non-dictionary objects could lead to security vulnerabilities. Since most modern browsers implement ECMAScript 5, this vector of attack is no longer a threat and it is possible to serialize non-dictionary objects by setting the `safe` flag to `False`. However, if this flag is not set, a `TypeError` will be thrown by the serializer. 

Despite this possibility, it is still recommended to serialize dictionary objects, as an API based on `dict` is generally more extensible and easier to maintain.

== How to fix it

To fix this issue, developers should ensure that the safe flag is set to "False" when attempting to serialize non-dictionary objects in Django.

=== Code examples

==== Noncompliant code example

[source,python]
----
from django.http import JsonResponse
response = JsonResponse([1, 2, 3])
----

==== Compliant solution

[source,python]
----
from django.http import JsonResponse
response = JsonResponse([1, 2, 3], safe=False)
----

== Resources
=== Documentation
https://docs.djangoproject.com/en/4.1/ref/request-response/#serializing-non-dictionary-objects[Serializing non-dictionary objects]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use a dictionary object here, or set the "safe" flag to False.


'''
endif::env-github,rspecator-view[]