Security Enhancements.

2024-11-15 08:02:54 +11:00 · 2018-01-07 17:20:59 +01:00 · 2018-01-07 17:20:59 +01:00 · 90e5008b03
commit 90e5008b03
parent 4924c88107
3 changed files with 38 additions and 7 deletions
--- a/dpaste/migrations/0004_auto_20180107_1603.py
+++ b/dpaste/migrations/0004_auto_20180107_1603.py
@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.9 on 2018-01-07 16:03
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dpaste', '0003_snippet_highlighted'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='snippet',
+            name='lexer',
+            field=models.CharField(default='python', max_length=30, verbose_name='Lexer'),
+        ),
+    ]
--- a/dpaste/settings/base.py
+++ b/dpaste/settings/base.py
@ -70,15 +70,11 @@ LOCALE_PATHS = (
 )

 #==============================================================================
-# Static files
+# Project URLS and media settings
 #==============================================================================

 STATIC_ROOT = os.path.join(VAR_ROOT, 'static')

-#==============================================================================
-# Project URLS and media settings
-#==============================================================================
-
 STATIC_URL = '/static/'
 ADMIN_MEDIA_PREFIX = '/static/admin/'

@ -92,14 +88,22 @@ LOGIN_REDIRECT_URL = '/'
 # Templates
 #==============================================================================

-MIDDLEWARE_CLASSES = (
+MIDDLEWARE_CLASSES = [
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.locale.LocaleMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
-)
+    'django.middleware.security.SecurityMiddleware',
+    'csp.middleware.CSPMiddleware',
+]

+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_BROWSER_XSS_FILTER =True
+SECURE_CONTENT_TYPE_NOSNIFF = True

 TEMPLATES = [
    {
--- a/dpaste/settings/local.py.example
+++ b/dpaste/settings/local.py.example
@ -19,3 +19,10 @@ DATABASES = {
 SECRET_KEY = 'changeme'

 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+INSTALLED_APPS += ('sslserver',)
+
+# Disable for local development
+if not 'runsslserver' in sys.argv:
+    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = False