From 175381213672b409f940730c2bafc129815d5595 Mon Sep 17 00:00:00 2001 From: Carl Johnson Date: Mon, 12 Nov 2018 15:04:03 -0500 Subject: [PATCH 1/2] Settings: Use security settings in dev as well as prod --- {{cookiecutter.project_slug}}/config/settings/base.py | 11 +++++++++++ .../config/settings/production.py | 8 -------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/{{cookiecutter.project_slug}}/config/settings/base.py b/{{cookiecutter.project_slug}}/config/settings/base.py index e4ab2884..950b9ed7 100644 --- a/{{cookiecutter.project_slug}}/config/settings/base.py +++ b/{{cookiecutter.project_slug}}/config/settings/base.py @@ -209,6 +209,17 @@ FIXTURE_DIRS = ( str(APPS_DIR.path('fixtures')), ) +# SECURITY +# ------------------------------------------------------------------------------ +# https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-httponly +SESSION_COOKIE_HTTPONLY = True +# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly +CSRF_COOKIE_HTTPONLY = True +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-browser-xss-filter +SECURE_BROWSER_XSS_FILTER = True +# https://docs.djangoproject.com/en/dev/ref/settings/#x-frame-options +X_FRAME_OPTIONS = 'DENY' + # EMAIL # ------------------------------------------------------------------------------ # https://docs.djangoproject.com/en/dev/ref/settings/#email-backend diff --git a/{{cookiecutter.project_slug}}/config/settings/production.py b/{{cookiecutter.project_slug}}/config/settings/production.py index 87753b55..e77d4304 100644 --- a/{{cookiecutter.project_slug}}/config/settings/production.py +++ b/{{cookiecutter.project_slug}}/config/settings/production.py @@ -41,12 +41,8 @@ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_SSL_REDIRECT = env.bool('DJANGO_SECURE_SSL_REDIRECT', default=True) # https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-secure SESSION_COOKIE_SECURE = True -# https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-httponly -SESSION_COOKIE_HTTPONLY = True # https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-secure CSRF_COOKIE_SECURE = True -# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly -CSRF_COOKIE_HTTPONLY = True # https://docs.djangoproject.com/en/dev/topics/security/#ssl-https # https://docs.djangoproject.com/en/dev/ref/settings/#secure-hsts-seconds # TODO: set this to 60 seconds first and then to 518400 once you prove the former works @@ -57,10 +53,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool('DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS SECURE_HSTS_PRELOAD = env.bool('DJANGO_SECURE_HSTS_PRELOAD', default=True) # https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff SECURE_CONTENT_TYPE_NOSNIFF = env.bool('DJANGO_SECURE_CONTENT_TYPE_NOSNIFF', default=True) -# https://docs.djangoproject.com/en/dev/ref/settings/#secure-browser-xss-filter -SECURE_BROWSER_XSS_FILTER = True -# https://docs.djangoproject.com/en/dev/ref/settings/#x-frame-options -X_FRAME_OPTIONS = 'DENY' # STORAGES # ------------------------------------------------------------------------------ From 65a506a9453738b8dc24964e8a33969ca2f1efd2 Mon Sep 17 00:00:00 2001 From: Carl Johnson Date: Mon, 12 Nov 2018 15:07:24 -0500 Subject: [PATCH 2/2] Contributors: Add Carl Johnson --- CONTRIBUTORS.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CONTRIBUTORS.rst b/CONTRIBUTORS.rst index 302b819e..35508eb7 100644 --- a/CONTRIBUTORS.rst +++ b/CONTRIBUTORS.rst @@ -70,6 +70,7 @@ Listed in alphabetical order. Bouke Haarsma Brent Payne `@brentpayne`_ @brentpayne Burhan Khalid            `@burhan`_                   @burhan + Carl Johnson `@carlmjohnson`_ @carlmjohnson Catherine Devlin `@catherinedevlin`_ Cédric Gaspoz `@cgaspoz`_ Charlie Smith `@chuckus`_ @@ -194,6 +195,7 @@ Listed in alphabetical order. .. _@burhan: https://github.com/burhan .. _@c-rhodes: https://github.com/c-rhodes .. _@caffodian: https://github.com/caffodian +.. _@carlmjohnson: https://github.com/carlmjohnson .. _@catherinedevlin: https://github.com/catherinedevlin .. _@ccurvey: https://github.com/ccurvey .. _@cdvv7788: https://github.com/cdvv7788