Merge pull request #657 from rapidpro/sec-adjustments

Add security middleware and password validators

pip-freeze.txt

@@ -36,7 +36,7 @@ django==2.2.13
 djangorestframework==3.8.2
 docutils==0.14            # via botocore
 entrypoints==0.3          # via flake8
-feedparser==5.2.1
+feedparser==6.0.2
 first==2.0.1              # via pip-tools
 flake8==3.7.9
 gitdb2==2.0.4             # via gitpython
@@ -59,7 +59,7 @@ openapi-codec==1.3.2      # via django-rest-swagger
 pathspec==0.6.0           # via black
 pbr==4.2.0                # via mock
 phonenumbers==8.9.10      # via rapidpro-dash
-pillow==7.2.0
+pillow==8.0.1
 pip-tools==2.0.2
 pisa==3.0.33
 polib==1.1.0              # via django-rosetta
@@ -78,13 +78,14 @@ regex==2020.9.27
 requests==2.19.1          # via coreapi, django-rosetta, microsofttranslator, rapidpro-dash, rapidpro-python
 rjsmin==1.1.0             # via django-compressor
 s3transfer==0.1.13        # via boto3
+sgmllib3k==1.0.0          # via feedparser
 simplejson==3.16.0        # via django-rest-swagger
 six==1.11.0               # via django-rosetta, microsofttranslator, mock, pip-tools, python-dateutil
 smartmin==2.2.2
 smmap2==2.0.4             # via gitdb2
 sqlparse==0.2.4           # via django, django-debug-toolbar, smartmin
 toml==0.10.1              # via black
-typed-ast==1.4.0          # via black
+typed-ast==1.4.1          # via black
 typing-extensions==3.7.4.3  # via black
 uritemplate==3.0.0        # via coreapi
 urllib3==1.23             # via requests

ureport/settings.py.prod

@@ -25,10 +25,15 @@ CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_SAMESITE = "Strict"
 CSRF_COOKIE_AGE = 10800
 
-SECURE_HSTS_SECONDS = 86400
 SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
+SECURE_HSTS_PRELOAD: False
+SECURE_HSTS_SECONDS: 86400
+SECURE_PROXY_SSL_HEADER: ('HTTP_X_FORWARDED_PROTO', 'HTTPS')
+SECURE_REDIRECT_EXEMPT: []
+SECURE_SSL_HOST: None
+SECURE_SSL_REDIRECT: False
 
 # these guys will get email from sentry
 ADMINS = (
@@ -93,6 +98,7 @@ DATABASES['default']['CONN_MAX_AGE'] = 60
 
 # no debug toolbar in prod
 MIDDLEWARE = (
+    'django.middleware.security.SecurityMiddleware',
     'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -101,6 +107,7 @@ MIDDLEWARE = (
     'django.contrib.messages.middleware.MessageMiddleware',
     'smartmin.middleware.AjaxRedirect',
     'django.middleware.locale.LocaleMiddleware',
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
     'dash.orgs.middleware.SetOrgMiddleware',
 )
 

ureport/settings.py.staging

@@ -23,10 +23,15 @@ CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_SAMESITE = "Strict"
 CSRF_COOKIE_AGE = 10800
 
-SECURE_HSTS_SECONDS = 86400
 SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
+SECURE_HSTS_PRELOAD: False
+SECURE_HSTS_SECONDS: 86400
+SECURE_PROXY_SSL_HEADER: ('HTTP_X_FORWARDED_PROTO', 'HTTPS')
+SECURE_REDIRECT_EXEMPT: []
+SECURE_SSL_HOST: None
+SECURE_SSL_REDIRECT: False
 
 # these guys will get email from sentry
 ADMINS = (
@@ -84,6 +89,7 @@ DATABASES['default'] = dj_database_url.config()
 
 # no debug toolbar in prod
 MIDDLEWARE = (
+    'django.middleware.security.SecurityMiddleware',
     'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -92,6 +98,7 @@ MIDDLEWARE = (
     'django.contrib.messages.middleware.MessageMiddleware',
     'smartmin.middleware.AjaxRedirect',
     'django.middleware.locale.LocaleMiddleware',
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
     'dash.orgs.middleware.SetOrgMiddleware',
 )
 

ureport/settings_common.py

@@ -158,7 +158,6 @@
 
 ROOT_URLCONF = "ureport.urls"
 
-
 DATA_API_BACKENDS_CONFIG = {
     "rapidpro": {"name": "RapidPro", "slug": "rapidpro", "class_type": "ureport.backend.rapidpro.RapidProBackend"}
 }
@@ -772,9 +771,15 @@
 # -----------------------------------------------------------------------------------
 # Auth Configuration
 # -----------------------------------------------------------------------------------
-
 AUTHENTICATION_BACKENDS = ("django.contrib.auth.backends.ModelBackend",)
 
+AUTH_PASSWORD_VALIDATORS = [
+    {"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"},
+    {"NAME": "django.contrib.auth.password_validation.MinimumLengthValidator", "OPTIONS": {"min_length": 8}},
+    {"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator"},
+    {"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator"},
+]
+
 ANONYMOUS_USER_NAME = "AnonymousUser"
 
 # -----------------------------------------------------------------------------------