From 1a280519e4dd149641ea5020b3a7749619a8574b Mon Sep 17 00:00:00 2001 From: CM Lubinski Date: Wed, 12 Oct 2016 15:28:46 +0000 Subject: [PATCH 1/3] Add default django middleware classes In particular, this adds a bunch of security-centric middleware. We don't need this now (we don't use sessions, authentication, etc.) but by activating them, we'll save ourselves in the future. This will also aid our security scans. --- regulations/settings/base.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/regulations/settings/base.py b/regulations/settings/base.py index 5e71ebb21..5f169996f 100644 --- a/regulations/settings/base.py +++ b/regulations/settings/base.py @@ -117,12 +117,18 @@ ] -# Note order: -# https://docs.djangoproject.com/en/1.8/topics/cache/#the-per-site-cache +# Order from +# https://docs.djangoproject.com/en/1.9/ref/middleware/#middleware-ordering MIDDLEWARE_CLASSES = ( + 'django.middleware.security.SecurityMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', + 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', + 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', + 'django.contrib.messages.middleware.MessageMiddleware', + 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', ) From 6e2878bafde61b88587af3e49d0b9b85d23aea18 Mon Sep 17 00:00:00 2001 From: CM Lubinski Date: Wed, 12 Oct 2016 16:03:58 +0000 Subject: [PATCH 2/3] Add default installed apps Again, this will likely help us in the future and make this more of a standard Django app --- regulations/settings/base.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/regulations/settings/base.py b/regulations/settings/base.py index 5f169996f..e0189aeee 100644 --- a/regulations/settings/base.py +++ b/regulations/settings/base.py @@ -135,6 +135,11 @@ ROOT_URLCONF = 'regulations.urls' INSTALLED_APPS = ( + # Note: no admin + 'django.contrib.auth', + 'django.contrib.contenttypes', + 'django.contrib.sessions', + 'django.contrib.messages', 'django.contrib.staticfiles', 'regulations.apps.RegulationsConfig', ) From 3fd55d2b9d43867b58b375f7c3934aaafd889a62 Mon Sep 17 00:00:00 2001 From: CM Lubinski Date: Wed, 12 Oct 2016 16:12:07 +0000 Subject: [PATCH 3/3] Add additional security-related headers --- regulations/settings/base.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/regulations/settings/base.py b/regulations/settings/base.py index e0189aeee..94a10cd66 100644 --- a/regulations/settings/base.py +++ b/regulations/settings/base.py @@ -132,6 +132,9 @@ 'django.middleware.cache.FetchFromCacheMiddleware', ) +SECURE_BROWSER_XSS_FILTER = True +SECURE_CONTENT_TYPE_NOSNIFF = True + ROOT_URLCONF = 'regulations.urls' INSTALLED_APPS = (