Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security middleware and password validators #657

Merged
merged 2 commits into from
Dec 1, 2020
Merged

Add security middleware and password validators #657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ea2a08
Add security middleware and password validators
norkans7 Nov 30, 2020
300fad4
Add XFrameOptions middleware
norkans7 Dec 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions pip-freeze.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ django==2.2.13
djangorestframework==3.8.2
docutils==0.14 # via botocore
entrypoints==0.3 # via flake8
feedparser==5.2.1
feedparser==6.0.2
first==2.0.1 # via pip-tools
flake8==3.7.9
gitdb2==2.0.4 # via gitpython
Expand All @@ -59,7 +59,7 @@ openapi-codec==1.3.2 # via django-rest-swagger
pathspec==0.6.0 # via black
pbr==4.2.0 # via mock
phonenumbers==8.9.10 # via rapidpro-dash
pillow==7.2.0
pillow==8.0.1
pip-tools==2.0.2
pisa==3.0.33
polib==1.1.0 # via django-rosetta
Expand All @@ -78,13 +78,14 @@ regex==2020.9.27
requests==2.19.1 # via coreapi, django-rosetta, microsofttranslator, rapidpro-dash, rapidpro-python
rjsmin==1.1.0 # via django-compressor
s3transfer==0.1.13 # via boto3
sgmllib3k==1.0.0 # via feedparser
simplejson==3.16.0 # via django-rest-swagger
six==1.11.0 # via django-rosetta, microsofttranslator, mock, pip-tools, python-dateutil
smartmin==2.2.2
smmap2==2.0.4 # via gitdb2
sqlparse==0.2.4 # via django, django-debug-toolbar, smartmin
toml==0.10.1 # via black
typed-ast==1.4.0 # via black
typed-ast==1.4.1 # via black
typing-extensions==3.7.4.3 # via black
uritemplate==3.0.0 # via coreapi
urllib3==1.23 # via requests
Expand Down
9 changes: 8 additions & 1 deletion ureport/settings.py.prod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,15 @@ CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = "Strict"
CSRF_COOKIE_AGE = 10800

SECURE_HSTS_SECONDS = 86400
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_HSTS_PRELOAD: False
SECURE_HSTS_SECONDS: 86400
SECURE_PROXY_SSL_HEADER: ('HTTP_X_FORWARDED_PROTO', 'HTTPS')
SECURE_REDIRECT_EXEMPT: []
SECURE_SSL_HOST: None
SECURE_SSL_REDIRECT: False

# these guys will get email from sentry
ADMINS = (
Expand Down Expand Up @@ -93,6 +98,7 @@ DATABASES['default']['CONN_MAX_AGE'] = 60

# no debug toolbar in prod
MIDDLEWARE = (
'django.middleware.security.SecurityMiddleware',
'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
Expand All @@ -101,6 +107,7 @@ MIDDLEWARE = (
'django.contrib.messages.middleware.MessageMiddleware',
'smartmin.middleware.AjaxRedirect',
'django.middleware.locale.LocaleMiddleware',
"django.middleware.clickjacking.XFrameOptionsMiddleware",
'dash.orgs.middleware.SetOrgMiddleware',
)

Expand Down
9 changes: 8 additions & 1 deletion ureport/settings.py.staging
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,15 @@ CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = "Strict"
CSRF_COOKIE_AGE = 10800

SECURE_HSTS_SECONDS = 86400
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_HSTS_PRELOAD: False
SECURE_HSTS_SECONDS: 86400
SECURE_PROXY_SSL_HEADER: ('HTTP_X_FORWARDED_PROTO', 'HTTPS')
SECURE_REDIRECT_EXEMPT: []
SECURE_SSL_HOST: None
SECURE_SSL_REDIRECT: False

# these guys will get email from sentry
ADMINS = (
Expand Down Expand Up @@ -84,6 +89,7 @@ DATABASES['default'] = dj_database_url.config()

# no debug toolbar in prod
MIDDLEWARE = (
'django.middleware.security.SecurityMiddleware',
'raven.contrib.django.raven_compat.middleware.SentryResponseErrorIdMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
Expand All @@ -92,6 +98,7 @@ MIDDLEWARE = (
'django.contrib.messages.middleware.MessageMiddleware',
'smartmin.middleware.AjaxRedirect',
'django.middleware.locale.LocaleMiddleware',
"django.middleware.clickjacking.XFrameOptionsMiddleware",
'dash.orgs.middleware.SetOrgMiddleware',
)

Expand Down
9 changes: 7 additions & 2 deletions ureport/settings_common.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,6 @@

ROOT_URLCONF = "ureport.urls"


DATA_API_BACKENDS_CONFIG = {
"rapidpro": {"name": "RapidPro", "slug": "rapidpro", "class_type": "ureport.backend.rapidpro.RapidProBackend"}
}
Expand Down Expand Up @@ -772,9 +771,15 @@
# -----------------------------------------------------------------------------------
# Auth Configuration
# -----------------------------------------------------------------------------------

AUTHENTICATION_BACKENDS = ("django.contrib.auth.backends.ModelBackend",)

AUTH_PASSWORD_VALIDATORS = [
{"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"},
{"NAME": "django.contrib.auth.password_validation.MinimumLengthValidator", "OPTIONS": {"min_length": 8}},
{"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator"},
{"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator"},
]

ANONYMOUS_USER_NAME = "AnonymousUser"

# -----------------------------------------------------------------------------------
Expand Down