From 90e5008b03591307eb0296da57187a564ba35972 Mon Sep 17 00:00:00 2001 From: Martin Mahner Date: Sun, 7 Jan 2018 17:20:59 +0100 Subject: [PATCH] Security Enhancements. --- dpaste/migrations/0004_auto_20180107_1603.py | 20 ++++++++++++++++++++ dpaste/settings/base.py | 18 +++++++++++------- dpaste/settings/local.py.example | 7 +++++++ 3 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 dpaste/migrations/0004_auto_20180107_1603.py diff --git a/dpaste/migrations/0004_auto_20180107_1603.py b/dpaste/migrations/0004_auto_20180107_1603.py new file mode 100644 index 0000000..2b8e92e --- /dev/null +++ b/dpaste/migrations/0004_auto_20180107_1603.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- +# Generated by Django 1.11.9 on 2018-01-07 16:03 +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dpaste', '0003_snippet_highlighted'), + ] + + operations = [ + migrations.AlterField( + model_name='snippet', + name='lexer', + field=models.CharField(default='python', max_length=30, verbose_name='Lexer'), + ), + ] diff --git a/dpaste/settings/base.py b/dpaste/settings/base.py index cc89dd9..89675cb 100644 --- a/dpaste/settings/base.py +++ b/dpaste/settings/base.py @@ -70,15 +70,11 @@ LOCALE_PATHS = ( ) #============================================================================== -# Static files +# Project URLS and media settings #============================================================================== STATIC_ROOT = os.path.join(VAR_ROOT, 'static') -#============================================================================== -# Project URLS and media settings -#============================================================================== - STATIC_URL = '/static/' ADMIN_MEDIA_PREFIX = '/static/admin/' @@ -92,14 +88,22 @@ LOGIN_REDIRECT_URL = '/' # Templates #============================================================================== -MIDDLEWARE_CLASSES = ( +MIDDLEWARE_CLASSES = [ 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', -) + 'django.middleware.security.SecurityMiddleware', + 'csp.middleware.CSPMiddleware', +] +SESSION_COOKIE_SECURE = True +CSRF_COOKIE_SECURE = True + +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +SECURE_BROWSER_XSS_FILTER =True +SECURE_CONTENT_TYPE_NOSNIFF = True TEMPLATES = [ { diff --git a/dpaste/settings/local.py.example b/dpaste/settings/local.py.example index 00716ba..6c3b1e6 100644 --- a/dpaste/settings/local.py.example +++ b/dpaste/settings/local.py.example @@ -19,3 +19,10 @@ DATABASES = { SECRET_KEY = 'changeme' EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' + +INSTALLED_APPS += ('sslserver',) + +# Disable for local development +if not 'runsslserver' in sys.argv: + SESSION_COOKIE_SECURE = False + CSRF_COOKIE_SECURE = False