altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions 3 Packages Projects Releases Wiki Activity

Added some HTTP header settings for better security. Brings results at https://securityheaders.com/ up to 'A'.

Browse source 
- Legacy-Id: 16142
This commit is contained in:
Henrik Levkowetz 2019-04-10 15:30:18 +00:00
parent 196e80c4d6
commit 255a815378
2 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
ietf/settings.py
View file

@ -357,7 +357,10 @@ MIDDLEWARE = (
'ietf.middleware.SMTPExceptionMiddleware',
'ietf.middleware.Utf8ExceptionMiddleware',
'ietf.middleware.redirect_trailing_period_middleware',
'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'csp.middleware.CSPMiddleware',
'ietf.middleware.unicode_nfkc_normalization_middleware',
)
@ -465,6 +468,22 @@ CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_METHODS = ( 'GET', 'OPTIONS', )
CORS_URLS_REGEX = r'^(/api/.*|.*\.json|.*/json/?)$'
# Setting for django_referrer_policy.middleware.ReferrerPolicyMiddleware
REFERRER_POLICY = 'strict-origin-when-cross-origin'
# Content security policy configuration (django-csp)
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "data: https://datatracker.ietf.org/ https://www.ietf.org/")
# django.middleware.security.SecurityMiddleware
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
#SECURE_HSTS_PRELOAD = True # Enable after testing
SECURE_HSTS_SECONDS = 3600
#SECURE_REDIRECT_EXEMPT
#SECURE_SSL_HOST
#SECURE_SSL_REDIRECT = True
# Override this in your settings_local with the IP addresses relevant for you:
INTERNAL_IPS = (
# local

3
requirements.txt
View file

@ -13,10 +13,13 @@ defusedxml>=0.4.1 # for TastyPie when ussing xml; not a declared dependency
Django>=1.11,!=1.11.18,<1.12 # 1.11.18 has problems exporting BinaryField from django.db.models
django-bcrypt>=0.9.2 # for the BCrypt password hasher option. Remove when all bcrypt upgraded to argon2
django-bootstrap3>=8.2.1,<9.0.0
django-csp>=3.5
django-cors-headers>=2.4.0
django-feature-policy>=2.0
django-formtools>=1.0 # instead of django.contrib.formtools in 1.8
django-markup>=1.1
django-password-strength>=1.2.1
django-referrer-policy>=1.0
django-simple-history>=2.3.0
django-tastypie>=0.13.2
django-widget-tweaks>=1.3