More security, middleware upgrade, dj-reg.2.5

2025-12-15 02:57:17 +00:00 · 2020-06-20 23:08:34 +01:00
parent 477a289c2e
commit f3232cc5df
13 changed files with 96 additions and 45 deletions
--- a/settings.py
+++ b/settings.py
@@ -95,6 +95,11 @@ SMART_APPEND_SLASH = True
 SECRET_KEY = "not-the-real-secret-key-a#vaeozn0---^fj!355qki*vj2"

 LOGIN_REDIRECT_URL = '/'
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True
+#SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel
+CSRF_COOKIE_SECURE = True
+X_FRAME_OPTIONS = 'SAMEORIGIN'  # change to "DENY" after we eliminate all the iframes in use.

 INSTALLED_APPS = (
    'django.contrib.admin',
@@ -102,7 +107,7 @@ INSTALLED_APPS = (
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
-#    'django.contrib.staticfiles',
+#    'django.contrib.staticfiles', # apparently not working. Using workarounds with flatpages
    'registration',
    'troggle.profiles',
    'troggle.core',
@@ -110,6 +115,7 @@ INSTALLED_APPS = (
 )

 MIDDLEWARE_CLASSES = (
+    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',