22: Enable SSL redirect and other security settings (#203)

* 22: Enable recommended-by-Django security settings as defaults

The base settings now follow all-but-one of the recommendations from manage.py `check --deploy`.
The only one that's not been done in this changeset is SECURE_HSTS_SECONDS, because of the risk of "serious, irreversible problems". That needs to be planned in to enable it properly.

Note that we're explicitly setting what HTTP header to look for to detect the SSL-forwarded header, which should stop the redirect loop in production.

Development settings turn off SSL redirect, because the local build isn't set to use HTTPS. (It could be tweaked to use HTTPS, too - but that's out of scope for this piece)

* 22: Address issue with wagtail-bakery where SECURE_SSL_REDIRECT=True bakes out empty HTML

This commit subclasses wagtail-bakery's `AllPublishedPagesView` in a way that detects
application-level SSL redirection in order to avoid an issue where rendered pages end up
being 0 bytes.

See wagtail-nest/wagtail-bakery#24 for confirmation of the
issue and the discussion on wagtail-nest/wagtail-bakery#25
that points to a custom view being the (current) workaround. Ideally we'll be
able to replace this when that issue is resolved.

The code in this commit is basically taken from that closed PR, which adds the
`secure_request` variable. Hat-tip to @loicteixeira - thanks!

No unit test added, but manually tested locally to confirm this does indeed fix the
static build while `SECURE_SSL_REDIRECT` is `True`

developerportal/apps/bakery/views.py

@@ -0,0 +1,39 @@
+import logging
+
+from django.conf import settings
+from django.test.client import RequestFactory
+
+from wagtailbakery.views import AllPublishedPagesView
+
+logger = logging.getLogger(__name__)
+
+
+class AllPublishedPagesViewAllowingSecureRedirect(AllPublishedPagesView):
+    """Extension of `AllPublishedPagesView` that detects application-level SSL
+    redirection in order to avoid an issue where rendered pages end up being 0 bytes
+
+    See https://github.com/wagtail/wagtail-bakery/issues/24 for confirmation of the
+    issue and the discussion on https://github.com/wagtail/wagtail-bakery/pull/25
+    that points to a custom view being the (current) workaround. Ideally we'll be
+    able to replace this when that issue is resolved.
+
+    The following code is taken from that closed PR, which adds the `secure_request`
+    variable.
+    """
+
+    def build_object(self, obj):
+        """
+        Build wagtail page and set SERVER_NAME to retrieve corresponding site
+        object.
+        """
+        site = obj.get_site()
+        logger.debug("Building %s" % obj)
+        secure_request = site.port == 443 or getattr(
+            settings, "SECURE_SSL_REDIRECT", False
+        )
+        self.request = RequestFactory(SERVER_NAME=site.hostname).get(
+            self.get_url(obj), secure=secure_request
+        )
+        self.set_kwargs(obj)
+        path = self.get_build_path(obj)
+        self.build_file(path, self.get_content(obj))

developerportal/settings/base.py

@@ -188,6 +188,16 @@
 MEDIA_URL = "/media/"
 
 
+# Django security settings (see `manage.py check --deploy`)
+
+CSRF_COOKIE_SECURE = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SECURE_SSL_REDIRECT = True
+SESSION_COOKIE_SECURE = True
+X_FRAME_OPTIONS = "DENY"
+
 # Wagtail settings
 
 WAGTAIL_SITE_NAME = "Mozilla Developers"
@@ -215,7 +225,9 @@
 # Wagtail Bakery Settings
 BUILD_DIR = os.path.join(BASE_DIR, "build")
 BAKERY_MULTISITE = True
-BAKERY_VIEWS = ("wagtailbakery.views.AllPublishedPagesView",)
+BAKERY_VIEWS = (
+    "developerportal.apps.bakery.views.AllPublishedPagesViewAllowingSecureRedirect",
+)
 AWS_REGION = os.environ.get("AWS_REGION")
 AWS_BUCKET_NAME = os.environ.get("AWS_BUCKET_NAME")
 

developerportal/settings/dev.py

@@ -8,6 +8,7 @@
 
 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
+SECURE_SSL_REDIRECT = False
 
 try:
     from .local import *