Merge pull request #410 from elnappo/secure-http

Add some security HTTP Headers
2019-12-27 16:58:01 +01:00 · 2019-12-27 16:58:01 +01:00 · 5edb9f768a
commit 5edb9f768a
parent 86cf85c1b1 60a3fe559c
3 changed files with 8 additions and 1 deletions
--- a/requirements.d/all.txt
+++ b/requirements.d/all.txt
@ -3,6 +3,7 @@ dnspython
 netaddr
 django~=1.11.0
 django-bootstrap-form
+django-referrer-policy
 django-registration-redux
 django-extensions
 social-auth-app-django
--- a/setup.py
+++ b/setup.py
@ -33,6 +33,7 @@ setup(
        'netaddr',
        'django>=1.11.0',
        'django-bootstrap-form',
+        'django-referrer-policy',
        'django-registration-redux',
        'django-extensions',
        'social-auth-app-django',
--- a/src/nsupdate/settings/base.py
+++ b/src/nsupdate/settings/base.py
@ -167,10 +167,12 @@ MIDDLEWARE = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.locale.LocaleMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
+    'django_referrer_policy.middleware.ReferrerPolicyMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'social_django.middleware.SocialAuthExceptionMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
 )

 ROOT_URLCONF = 'nsupdate.urls'
@ -272,13 +274,16 @@ LOGIN_REDIRECT_URL = '/overview/'
 LOGOUT_REDIRECT_URL = '/'

 X_FRAME_OPTIONS = 'DENY'  # for clickjacking middleware
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+REFERRER_POLICY = 'same-origin'

 CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view'

 # Settings for CSRF cookie.
 CSRF_COOKIE_NAME = 'csrftoken'
 CSRF_COOKIE_PATH = '/'
-CSRF_COOKIE_HTTPONLY = False
+CSRF_COOKIE_HTTPONLY = True

 # Settings for session cookie.
 SESSION_COOKIE_NAME = 'sessionid'