From 5b930d07fc5856e37e299b581bc015aeb49b8602 Mon Sep 17 00:00:00 2001 From: Fabian Weisshaar Date: Sat, 29 Dec 2018 20:24:41 +0100 Subject: [PATCH 1/3] Add X-XSS-Protection and X-Content-Type-Option HTTP Header --- src/nsupdate/settings/base.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py index 84ee44c..4565c71 100644 --- a/src/nsupdate/settings/base.py +++ b/src/nsupdate/settings/base.py @@ -171,6 +171,7 @@ MIDDLEWARE = ( 'django.contrib.messages.middleware.MessageMiddleware', 'social_django.middleware.SocialAuthExceptionMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', + 'django.middleware.security.SecurityMiddleware', ) ROOT_URLCONF = 'nsupdate.urls' @@ -272,6 +273,8 @@ LOGIN_REDIRECT_URL = '/overview/' LOGOUT_REDIRECT_URL = '/' X_FRAME_OPTIONS = 'DENY' # for clickjacking middleware +SECURE_BROWSER_XSS_FILTER = True +SECURE_CONTENT_TYPE_NOSNIFF = True CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view' From 1732ace5a055fd77b01226165b79783026edc142 Mon Sep 17 00:00:00 2001 From: Fabian Weisshaar Date: Tue, 5 Mar 2019 11:58:46 +0100 Subject: [PATCH 2/3] Add Referrer-Policy HTTP Header, #281 --- requirements.d/all.txt | 1 + setup.py | 1 + src/nsupdate/settings/base.py | 2 ++ 3 files changed, 4 insertions(+) diff --git a/requirements.d/all.txt b/requirements.d/all.txt index 21ba795..86afe67 100644 --- a/requirements.d/all.txt +++ b/requirements.d/all.txt @@ -3,6 +3,7 @@ dnspython netaddr django~=1.11.0 django-bootstrap-form +django-referrer-policy django-registration-redux django-extensions social-auth-app-django diff --git a/setup.py b/setup.py index 73e98ec..9171705 100644 --- a/setup.py +++ b/setup.py @@ -33,6 +33,7 @@ setup( 'netaddr', 'django>=1.11.0', 'django-bootstrap-form', + 'django-referrer-policy', 'django-registration-redux', 'django-extensions', 'social-auth-app-django', diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py index 4565c71..e8722a4 100644 --- a/src/nsupdate/settings/base.py +++ b/src/nsupdate/settings/base.py @@ -167,6 +167,7 @@ MIDDLEWARE = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', + 'django_referrer_policy.middleware.ReferrerPolicyMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'social_django.middleware.SocialAuthExceptionMiddleware', @@ -275,6 +276,7 @@ LOGOUT_REDIRECT_URL = '/' X_FRAME_OPTIONS = 'DENY' # for clickjacking middleware SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True +REFERRER_POLICY = 'same-origin' CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view' From 60a3fe559c453bc36b0ec3e5dd39c1303640a59a Mon Sep 17 00:00:00 2001 From: Fabian Weisshaar Date: Tue, 9 Apr 2019 15:08:14 +0200 Subject: [PATCH 3/3] Set HTTPONLY to CSRF cookies --- src/nsupdate/settings/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py index e8722a4..f5a4d28 100644 --- a/src/nsupdate/settings/base.py +++ b/src/nsupdate/settings/base.py @@ -283,7 +283,7 @@ CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view' # Settings for CSRF cookie. CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_PATH = '/' -CSRF_COOKIE_HTTPONLY = False +CSRF_COOKIE_HTTPONLY = True # Settings for session cookie. SESSION_COOKIE_NAME = 'sessionid'