diff --git a/notes.md b/notes.md index 8f2dac8..2b27b21 100644 --- a/notes.md +++ b/notes.md @@ -75,37 +75,72 @@ WARNINGS: ``` -## Actions to take for the warnings above and as per the recommendations in the settings page https://django-secure.readthedocs.io/en/latest/settings.html +## Actions to take for the warnings above -1. Django's way to protect the project against XSS is to enable the following values +### Preventing XSS https://docs.djangoproject.com/en/3.0/topics/security/ + +As it looks like the project is on a Django version less that 3.0, setting `SECURE_CONTENT_TYPE_NOSNIFF` to True is recommended. This will add `X-Content-Type-Options: nosniff` header to all requests ensuring that browsers will not be able to guess the content type of the served resource. ``` -# For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/ -SECURE_BROWSER_XSS_FILTER = True +SECURE_CONTENT_TYPE_NOSNIFF=True ``` +Setting `SECURE_BROWSER_XSS_FILTER` to True is recommended. This adds `X-XSS-Protection: 1; mode=block` header on all responses. +This tells the browsers to block content that look like XSS attack. +This works on old browsers only. + ``` -# See https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff -SECURE_CONTENT_TYPE_NOSNIFF = True +SECURE_BROWSER_XSS_FILTER=True ``` -2. SSL and HSTS +### Preventing clickjacking https://docs.djangoproject.com/en/3.0/ref/clickjacking/ -Force/exempt ssl urls +Enable XFrameOptionsMiddleware middleware and set X_FRAME_OPTIONS to DENY if you are not using iframes at all. If you intend to use it then set this value to SAMEORIGIN which will allow the iframes to be embedded in your page which are served from the same domain. It is supported by most modern browsers (not all) +``` +X_FRAME_OPTIONS=DENY +``` + +### Preventing CSRF https://docs.djangoproject.com/en/3.0/ref/csrf/ + +I think almost all forms in the project use {% csrf_token %} which is good. + +### Use sessions instead of cookies https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-use-sessions + +Django stores the CSRF token in cookie by default. Though this should be sufficient, storing in sessions is opted more often as a standard practice. Hence, to turn on session enable the following setting + +``` +CSRF_USE_SESSIONS=True +``` + +If you still prefer to go with cookies, ensure that the following is set to True which will make sure that the csrf token is always exchanged over https + +``` +SESSION_COOKIE_SECURE=True +``` + +There is a whole lot of things to look into when looking into CSRF in details. Please refer https://docs.djangoproject.com/en/3.0/ref/csrf/#using-csrf for more info. + + +### Exchanging data exclusively over https https://docs.djangoproject.com/en/3.0/topics/security/#ssl-https + +This is a standard recommendation for all websites nowadays. + +If all the traffic of the site is meant to be via ssl and exempt certain urls using `SECURE_REDIRECT_EXEMPT` if necessary OR another option is to handling this via an app server (nginx or apache). +``` +SECURE_SSL_REDIRECT=True +``` +Exempting any urls or regex from being redirected via ssl +https://docs.djangoproject.com/en/3.0/ref/settings/#secure-redirect-exempt ``` -# set to any regex of urls that need to be served over plain http -# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect SECURE_REDIRECT_EXEMPT = [] -SECURE_SSL_HOST = None -SECURE_SSL_REDIRECT = False ``` -Enable HSTS +When this setting is set to True, all non-https requests will be redirected to the domain specified by `SECURE_SSL_HOST` below. +``` +SECURE_SSL_REDIRECT = True +``` +Use the name of the domain that will handle https requests. This has effect only when `SECURE_SSL_REDIRECT` is set to True. ``` -# Make the production server to respond to https always or set the strict https settings iff for a single domain -SECURE_HSTS_INCLUDE_SUBDOMAINS=True -# 30 seconds or above based on whether increasing this value breaks something -SECURE_HSTS_SECONDS=30 seconds and above based on tests -SECURE_HSTS_PRELOAD = True +SECURE_SSL_HOST=ssl.mydomain.com ```