22: Enable recommended-by-Django security settings as defaults

The base settings now follow all-but-one of the recommendations from manage.py `check --deploy`. The only one that's not been done in this changeset is SECURE_HSTS_SECONDS, because of the risk of "serious, irreversible problems". That needs to be planned in to enable it properly. Note that we're explicitly setting what HTTP header to look for to detect the SSL-forwarded header, which should stop the redirect loop in production. Development settings turn off SSL redirect, because the local build isn't set to use HTTPS. (It could be tweaked to use HTTPS, too - but that's out of scope for this piece)
mdn · Sep 23, 2019 · 98a9c3c · 98a9c3c
1 parent 9dcb9d6
commit 98a9c3c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/developerportal/settings/base.py b/developerportal/settings/base.py
@@ -188,6 +188,16 @@
 MEDIA_URL = "/media/"
 
 
+# Django security settings (see `manage.py check --deploy`)
+
+CSRF_COOKIE_SECURE = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_SSL_REDIRECT = True
+SESSION_COOKIE_SECURE = True
+X_FRAME_OPTIONS = "DENY"
+
 # Wagtail settings
 
 WAGTAIL_SITE_NAME = "Mozilla Developers"

diff --git a/developerportal/settings/dev.py b/developerportal/settings/dev.py
@@ -8,6 +8,7 @@
 
 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
+SECURE_SSL_REDIRECT = False
 
 try:
     from .local import *
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ @@
     EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
+    SECURE_SSL_REDIRECT = False
     try:
         from .local import *
@@ Expand Down @@