Skip to content

Commit

Permalink
Content Security and Permission Policies - django setup
Browse files Browse the repository at this point in the history
  • Loading branch information
vincentporte committed Sep 19, 2023
1 parent 946808b commit 349e76e
Showing 1 changed file with 66 additions and 2 deletions.
68 changes: 66 additions & 2 deletions config/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@

INSTALLED_APPS = DJANGO_APPS + LOCAL_APPS + THIRD_PARTIES_APPS

MIDDLEWARE = [
DJANGO_MIDDLEWARE = [
"django.middleware.gzip.GZipMiddleware",
"django.middleware.security.SecurityMiddleware",
"django.contrib.redirects.middleware.RedirectFallbackMiddleware",
Expand All @@ -94,10 +94,20 @@
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
]

THIRD_PARTIES_MIDDLEWARE = [
"csp.middleware.CSPMiddleware",
"django_permissions_policy.PermissionsPolicyMiddleware",
"django_htmx.middleware.HtmxMiddleware",
]

LOCAL_MIDDLEWARE = [
"machina.apps.forum_permission.middleware.ForumPermissionMiddleware",
]

MIDDLEWARE = DJANGO_MIDDLEWARE + THIRD_PARTIES_MIDDLEWARE + LOCAL_MIDDLEWARE

ROOT_URLCONF = "config.urls"
LOGIN_URL = "/inclusion_connect/authorize"
LOGIN_REDIRECT_URL = "/"
Expand Down Expand Up @@ -214,6 +224,7 @@

COMPRESS_PRECOMPILERS = (("text/x-scss", "django_libsass.SassCompiler"),)


# Default primary key field type
# https://docs.djangoproject.com/en/4.1/ref/settings/#default-auto-field

Expand Down Expand Up @@ -341,6 +352,59 @@
TAGGIT_CASE_INSENSITIVE = True
TAGGIT_STRIP_UNICODE_WHEN_SLUGIFY = True

# SESSIONS
# CSP
# ---------------------------------------
CSP_DEFAULT_SRC = ("'self'",)
CSP_STYLE_SRC = ("'self'", "https://fonts.googleapis.com", "'unsafe-inline'")
CSP_STYLE_SRC_ELEM = CSP_STYLE_SRC
CSP_FONT_SRC = ("'self'", "https://fonts.gstatic.com/", "data:")
CSP_SCRIPT_SRC = ("'self'", "https://cdn.jsdelivr.net", "https://tally.so")
CSP_SCRIPT_SRC_ELEM = CSP_SCRIPT_SRC
CSP_IMG_SRC = ("'self'", "data:")
CSP_INCLUDE_NONCE_IN = ["script-src", "script-src-elem"]

# HSTS
# ---------------------------------------
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

# Clickjacking
# ---------------------------------------
X_FRAME_OPTIONS = "DENY"

# SECURITY
# ---------------------------------------
# See https://docs.djangoproject.com/en/4.1/topics/security/
# and https://docs.djangoproject.com/en/4.1/ref/middleware/#module-django.middleware.security
# See https://docs.djangoproject.com/en/4.1/ref/middleware/#http-strict-transport-security

SECURE_CONTENT_TYPE_NOSNIFF = True

SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

SECURE_CROSS_ORIGIN_OPENER_POLICY = "same-origin"

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

# PERMISSIONS POLICIES
# ---------------------------------------
PERMISSIONS_POLICY = {
"accelerometer": [],
"autoplay": [],
"camera": [],
"encrypted-media": [],
"fullscreen": [],
"geolocation": [],
"gyroscope": [],
"magnetometer": [],
"microphone": [],
"midi": [],
"payment": [],
"picture-in-picture": [],
"sync-xhr": [],
"usb": [],
}

0 comments on commit 349e76e

Please sign in to comment.