Skip to content

Commit 255a815

Browse files
levkowetzlevkowetz
committed
Added some HTTP header settings for better security. Brings results at https://securityheaders.com/ up to 'A'.
 - Legacy-Id: 16142
1 parent 196e80c commit 255a815

2 files changed

Lines changed: 22 additions & 0 deletions

File tree

ietf/settings.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -357,7 +357,10 @@ def skip_unreadable_post(record):
357357
'ietf.middleware.SMTPExceptionMiddleware',
358358
'ietf.middleware.Utf8ExceptionMiddleware',
359359
'ietf.middleware.redirect_trailing_period_middleware',
360+
'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
360361
'django.middleware.clickjacking.XFrameOptionsMiddleware',
362+
'django.middleware.security.SecurityMiddleware',
363+
'csp.middleware.CSPMiddleware',
361364
'ietf.middleware.unicode_nfkc_normalization_middleware',
362365
)
363366

@@ -465,6 +468,22 @@ def skip_unreadable_post(record):
465468
CORS_ALLOW_METHODS = ( 'GET', 'OPTIONS', )
466469
CORS_URLS_REGEX = r'^(/api/.*|.*\.json|.*/json/?)$'
467470

471+
# Setting for django_referrer_policy.middleware.ReferrerPolicyMiddleware
472+
REFERRER_POLICY = 'strict-origin-when-cross-origin'
473+
474+
# Content security policy configuration (django-csp)
475+
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "data: https://datatracker.ietf.org/ https://www.ietf.org/")
476+
477+
# django.middleware.security.SecurityMiddleware
478+
SECURE_BROWSER_XSS_FILTER = True
479+
SECURE_CONTENT_TYPE_NOSNIFF = True
480+
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
481+
#SECURE_HSTS_PRELOAD = True # Enable after testing
482+
SECURE_HSTS_SECONDS = 3600
483+
#SECURE_REDIRECT_EXEMPT
484+
#SECURE_SSL_HOST
485+
#SECURE_SSL_REDIRECT = True
486+
468487
# Override this in your settings_local with the IP addresses relevant for you:
469488
INTERNAL_IPS = (
470489
# local

requirements.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,13 @@ defusedxml>=0.4.1 # for TastyPie when ussing xml; not a declared dependency
1313
Django>=1.11,!=1.11.18,<1.12 # 1.11.18 has problems exporting BinaryField from django.db.models
1414
django-bcrypt>=0.9.2 # for the BCrypt password hasher option. Remove when all bcrypt upgraded to argon2
1515
django-bootstrap3>=8.2.1,<9.0.0
16+
django-csp>=3.5
1617
django-cors-headers>=2.4.0
18+
django-feature-policy>=2.0
1719
django-formtools>=1.0 # instead of django.contrib.formtools in 1.8
1820
django-markup>=1.1
1921
django-password-strength>=1.2.1
22+
django-referrer-policy>=1.0
2023
django-simple-history>=2.3.0
2124
django-tastypie>=0.13.2
2225
django-widget-tweaks>=1.3

0 commit comments

Comments
 (0)