added some security features

54d28387 · Ben Adida · b95b25f1 · 54d28387 · 54d28387
Commit 54d28387 authored 11 years ago by Ben Adida
--- a/requirements.txt
+++ b/requirements.txt
@@ -18,3 +18,4 @@ django-sslify==0.2
 django_webtest==1.7.5
 webtest==2.0.7
 django-db-pool==0.0.10
+django-secure==0.1.2
--- a/settings.py
+++ b/settings.py
@@ -70,6 +70,21 @@ STATIC_URL = '/media/'
 # Make this unique, and don't share it with anybody.
 SECRET_KEY = get_from_env('SECRET_KEY', 'replaceme')

+# Secure Stuff
+if (get_from_env('SSL', '0') == '1'):
+    SECURE_SSL_REDIRECT = True
+    SESSION_COOKIE_SECURE = True
+
+SESSION_COOKIE_HTTPONLY = True
+
+# one week HSTS seems like a good balance for MITM prevention
+if (get_from_env('HSTS', '0') == '1'):
+    SECURE_HSTS_SECONDS = 3600 * 24 * 7
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+
 # List of callables that know how to import templates from various sources.
 TEMPLATE_LOADERS = (
    'django.template.loaders.filesystem.Loader',
@@ -78,7 +93,10 @@ TEMPLATE_LOADERS = (

 MIDDLEWARE_CLASSES = (
    # make all things SSL
-    'sslify.middleware.SSLifyMiddleware',
+    #'sslify.middleware.SSLifyMiddleware',
+
+    # secure a bunch of things
+    'djangosecure.middleware.SecurityMiddleware',

    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
@@ -96,6 +114,7 @@ TEMPLATE_DIRS = (
 INSTALLED_APPS = (
 #    'django.contrib.auth',
 #    'django.contrib.contenttypes',
+    'djangosecure',
    'django.contrib.sessions',
    'django.contrib.sites',
    ## needed for queues