Explain each of the warning with appropriate setting to counter

This commit is contained in:
PCoder 2020-02-29 22:10:26 +05:30
parent 9de6a2e57d
commit c9665ea0a3

View file

@ -75,37 +75,72 @@ WARNINGS:
``` ```
## Actions to take for the warnings above and as per the recommendations in the settings page https://django-secure.readthedocs.io/en/latest/settings.html ## Actions to take for the warnings above
1. Django's way to protect the project against XSS is to enable the following values ### Preventing XSS https://docs.djangoproject.com/en/3.0/topics/security/
As it looks like the project is on a Django version less that 3.0, setting `SECURE_CONTENT_TYPE_NOSNIFF` to True is recommended. This will add `X-Content-Type-Options: nosniff` header to all requests ensuring that browsers will not be able to guess the content type of the served resource.
``` ```
# For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/
SECURE_BROWSER_XSS_FILTER = True
```
```
# See https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff
SECURE_CONTENT_TYPE_NOSNIFF=True SECURE_CONTENT_TYPE_NOSNIFF=True
``` ```
2. SSL and HSTS Setting `SECURE_BROWSER_XSS_FILTER` to True is recommended. This adds `X-XSS-Protection: 1; mode=block` header on all responses.
This tells the browsers to block content that look like XSS attack.
This works on old browsers only.
Force/exempt ssl urls
``` ```
# set to any regex of urls that need to be served over plain http SECURE_BROWSER_XSS_FILTER=True
# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect ```
### Preventing clickjacking https://docs.djangoproject.com/en/3.0/ref/clickjacking/
Enable XFrameOptionsMiddleware middleware and set X_FRAME_OPTIONS to DENY if you are not using iframes at all. If you intend to use it then set this value to SAMEORIGIN which will allow the iframes to be embedded in your page which are served from the same domain. It is supported by most modern browsers (not all)
```
X_FRAME_OPTIONS=DENY
```
### Preventing CSRF https://docs.djangoproject.com/en/3.0/ref/csrf/
I think almost all forms in the project use {% csrf_token %} which is good.
### Use sessions instead of cookies https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-use-sessions
Django stores the CSRF token in cookie by default. Though this should be sufficient, storing in sessions is opted more often as a standard practice. Hence, to turn on session enable the following setting
```
CSRF_USE_SESSIONS=True
```
If you still prefer to go with cookies, ensure that the following is set to True which will make sure that the csrf token is always exchanged over https
```
SESSION_COOKIE_SECURE=True
```
There is a whole lot of things to look into when looking into CSRF in details. Please refer https://docs.djangoproject.com/en/3.0/ref/csrf/#using-csrf for more info.
### Exchanging data exclusively over https https://docs.djangoproject.com/en/3.0/topics/security/#ssl-https
This is a standard recommendation for all websites nowadays.
If all the traffic of the site is meant to be via ssl and exempt certain urls using `SECURE_REDIRECT_EXEMPT` if necessary OR another option is to handling this via an app server (nginx or apache).
```
SECURE_SSL_REDIRECT=True
```
Exempting any urls or regex from being redirected via ssl
https://docs.djangoproject.com/en/3.0/ref/settings/#secure-redirect-exempt
```
SECURE_REDIRECT_EXEMPT = [] SECURE_REDIRECT_EXEMPT = []
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False
``` ```
Enable HSTS When this setting is set to True, all non-https requests will be redirected to the domain specified by `SECURE_SSL_HOST` below.
```
SECURE_SSL_REDIRECT = True
```
Use the name of the domain that will handle https requests. This has effect only when `SECURE_SSL_REDIRECT` is set to True.
``` ```
# Make the production server to respond to https always or set the strict https settings iff for a single domain SECURE_SSL_HOST=ssl.mydomain.com
SECURE_HSTS_INCLUDE_SUBDOMAINS=True
# 30 seconds or above based on whether increasing this value breaks something
SECURE_HSTS_SECONDS=30 seconds and above based on tests
SECURE_HSTS_PRELOAD = True
``` ```