Add naive CSP

This is a very weak setup so far, as requires some more testing to confirm which origins are allowed for each resource.
This commit is contained in:
Jake Howard 2022-10-30 19:09:38 +00:00
parent e630ef8856
commit d809890b0f
Signed by: jake
GPG key ID: 57AFB45680EDD477
3 changed files with 26 additions and 5 deletions

21
poetry.lock generated
View file

@ -198,6 +198,21 @@ python-versions = ">=3.7"
[package.dependencies] [package.dependencies]
Django = ">=3.2" Django = ">=3.2"
[[package]]
name = "django-csp"
version = "3.7"
description = "Django Content Security Policy support."
category = "main"
optional = false
python-versions = "*"
[package.dependencies]
Django = ">=1.8"
[package.extras]
jinja2 = ["jinja2 (>=2.9.6)"]
tests = ["jinja2 (>=2.9.6)", "mock (==1.0.1)", "pep8 (==1.4.6)", "pytest (<4.0)", "pytest-django", "pytest-flakes (==1.0.1)", "pytest-pep8 (==1.0.6)", "six (==1.12.0)"]
[[package]] [[package]]
name = "django-debug-toolbar" name = "django-debug-toolbar"
version = "3.7.0" version = "3.7.0"
@ -1372,7 +1387,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools"
[metadata] [metadata]
lock-version = "1.1" lock-version = "1.1"
python-versions = "^3.10" python-versions = "^3.10"
content-hash = "2fa205bd17be3d23d23481f3e6d6b7d95b19fd925398dcb5c599ac66b4cf6578" content-hash = "8d2f240eaa055939613b5fcd9f364df73c8488de9fe3aa9e68c691ff7ad7c3d5"
[metadata.files] [metadata.files]
anyascii = [ anyascii = [
@ -1570,6 +1585,10 @@ django-cors-headers = [
{file = "django-cors-headers-3.13.0.tar.gz", hash = "sha256:f9dc6b4e3f611c3199700b3e5f3398c28757dcd559c2f82932687f3d0443cfdf"}, {file = "django-cors-headers-3.13.0.tar.gz", hash = "sha256:f9dc6b4e3f611c3199700b3e5f3398c28757dcd559c2f82932687f3d0443cfdf"},
{file = "django_cors_headers-3.13.0-py3-none-any.whl", hash = "sha256:37e42883b5f1f2295df6b4bba96eb2417a14a03270cb24b2a07f021cd4487cf4"}, {file = "django_cors_headers-3.13.0-py3-none-any.whl", hash = "sha256:37e42883b5f1f2295df6b4bba96eb2417a14a03270cb24b2a07f021cd4487cf4"},
] ]
django-csp = [
{file = "django_csp-3.7-py2.py3-none-any.whl", hash = "sha256:01443a07723f9a479d498bd7bb63571aaa771e690f64bde515db6cdb76e8041a"},
{file = "django_csp-3.7.tar.gz", hash = "sha256:01eda02ad3f10261c74131cdc0b5a6a62b7c7ad4fd017fbefb7a14776e0a9727"},
]
django-debug-toolbar = [ django-debug-toolbar = [
{file = "django-debug-toolbar-3.7.0.tar.gz", hash = "sha256:1e3acad24e3d351ba45c6fa2072e4164820307332a776b16c9f06d1f89503465"}, {file = "django-debug-toolbar-3.7.0.tar.gz", hash = "sha256:1e3acad24e3d351ba45c6fa2072e4164820307332a776b16c9f06d1f89503465"},
{file = "django_debug_toolbar-3.7.0-py3-none-any.whl", hash = "sha256:80de23066b624d3970fd296cf02d61988e5d56c31aa0dc4a428970b46e2883a8"}, {file = "django_debug_toolbar-3.7.0-py3-none-any.whl", hash = "sha256:80de23066b624d3970fd296cf02d61988e5d56c31aa0dc4a428970b46e2883a8"},

View file

@ -37,6 +37,7 @@ django3-cache-decorator = "^0.5.2"
django-cors-headers = "^3.13.0" django-cors-headers = "^3.13.0"
uritemplate = "^4.1.1" uritemplate = "^4.1.1"
PyYAML = "^6.0" PyYAML = "^6.0"
django-csp = "^3.7"
[tool.poetry.group.dev.dependencies] [tool.poetry.group.dev.dependencies]

View file

@ -103,6 +103,7 @@ MIDDLEWARE = [
"django.contrib.messages.middleware.MessageMiddleware", "django.contrib.messages.middleware.MessageMiddleware",
"wagtail.contrib.redirects.middleware.RedirectMiddleware", "wagtail.contrib.redirects.middleware.RedirectMiddleware",
"django_htmx.middleware.HtmxMiddleware", "django_htmx.middleware.HtmxMiddleware",
"csp.middleware.CSPMiddleware",
] ]
ROOT_URLCONF = "website.urls" ROOT_URLCONF = "website.urls"
@ -212,10 +213,7 @@ WAGTAILSEARCH_BACKENDS = {
WAGTAILADMIN_BASE_URL = f"https://{BASE_HOSTNAME}" WAGTAILADMIN_BASE_URL = f"https://{BASE_HOSTNAME}"
CORS_ALLOWED_ORIGINS = [ CORS_ALLOWED_ORIGINS = [WAGTAILADMIN_BASE_URL, "https://editor.swagger.io"]
WAGTAILADMIN_BASE_URL,
"https://editor.swagger.io"
]
WAGTAIL_ENABLE_UPDATE_CHECK = False WAGTAIL_ENABLE_UPDATE_CHECK = False
@ -397,6 +395,9 @@ SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
if not DEBUG: if not DEBUG:
SECURE_HSTS_SECONDS = 2592000 # 30 days SECURE_HSTS_SECONDS = 2592000 # 30 days
CSP_BLOCK_ALL_MIXED_CONTENT = True
CSP_UPGRADE_INSECURE_REQUESTS = True
if sentry_dsn := env("SENTRY_DSN"): if sentry_dsn := env("SENTRY_DSN"):
import sentry_sdk import sentry_sdk
from sentry_sdk.integrations.django import DjangoIntegration from sentry_sdk.integrations.django import DjangoIntegration