From a73c666415b7359df81f53570ed032d04de906f1 Mon Sep 17 00:00:00 2001
From: Philip Sargent <philip.sargent@gmail.com>
Date: Sun, 31 Oct 2021 10:05:26 +0200
Subject: [PATCH] more 'python manage.py check' docum

---
 handbook/troggle/troglaptop.html | 34 ++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/handbook/troggle/troglaptop.html b/handbook/troggle/troglaptop.html
index 0a3dbd870..5eb3ab101 100644
--- a/handbook/troggle/troglaptop.html
+++ b/handbook/troggle/troglaptop.html
@@ -242,6 +242,14 @@ and in addition to the [django] command list, you will now gets command lists fo
 [contenttypes], [core], and [sessions]. These are the modules (plugins) loaaded into django. 
 [core] is the core of troggle (but not all of it: the input file parsers are not in [core]).
 
+<p>Now:
+<pre><code>python -Wall manage.py check </code></pre>
+This loads the settings files and checks that all the Django packages and python libraries 
+imports all work. It gives warnings of deprecated Django which should be fixed. 
+You should not get any warnings on a fresh install on a new machine but you will 
+see warning and error messages when you are 
+trying to upgrade troggle to use later versions of Django.
+
 <pre><code>python manage.py check -v 3 --traceback</code></pre>
 
 Ideally this will list settings imports and then say<br>
@@ -255,14 +263,32 @@ Ensure that the path to the troggle/ directory is in the list.
 It should be at the top, which is where the current working directory is.
 <p>
 Now:
+
+
 <pre><code>python  manage.py check -v 3 --deploy</code></pre>
-which will give security warnings for deployment. Various middleware settings and 
+which will give security warnings for deployment. You will get various middleware settings 
+because we have not got https:// properly configured everywhere (we have unresolved issues with
+the Django admin control panel and https:// in October 2021) and 
 a warning not to use DEBUG=true in deployment. We always have DEBUG=True set for troggle
-as otherwise the users get useless error messages.
+as otherwise the users get useless error messages. This is completely contrary to Django
+official security advice.
+<details>
+<summary><em>Click triangle to see security warnings in detail</em></summary>
+<font color="brown"><pre>
+?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' 
+in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, 
+SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.                         
 
-<pre><code>python -Wall manage.py check </code></pre>
-Gives warnings of deprecated Django which should be fixed. You should not get any on a fresh install but youwill see this message when you are trying to upgrade troggle to use later versions of Django.
+?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only 
+session cookie makes it more difficult for network traffic sniffers to hijack user sessions.                                                                                           
+?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your 
+MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only 
+CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.              
 
+?: (security.W018) You should not have DEBUG set to True in deployment. </pre></font>
+</details>
+
+<p>
 If you got an error traceback with
 <pre><code>python manage.py</code></pre>
 then the settings registration of troggle with django is incomplete.