Merge branch 'secure_headers' into 'master'

Add secure headers Closes #28 See merge request archlinux/archmanweb!28
2021-06-05 06:09:15 +00:00 · 2021-06-05 06:09:15 +00:00 · 7a646a2149
parent 275f3ee173 f51f27f41a
commit 7a646a2149
2 changed files with 21 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@

 ## Dependencies

-	pacman -S pyalpm python-chardet python-django python-psycopg2 python-requests python-xtarfile
+	pacman -S pyalpm python-chardet python-django python-django-csp python-psycopg2 python-requests python-xtarfile

 ## Installation

--- a/settings.py
+++ b/settings.py
@ -17,8 +17,28 @@ MIDDLEWARE = [
    "django.middleware.common.CommonMiddleware",
    # https://docs.djangoproject.com/en/3.1/ref/csrf/
    "django.middleware.csrf.CsrfViewMiddleware",
+    # https://docs.djangoproject.com/en/3.1/ref/clickjacking/
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    # https://docs.djangoproject.com/en/3.1/ref/middleware/#django.middleware.security.SecurityMiddleware
+    "django.middleware.security.SecurityMiddleware",
+    # https://django-csp.readthedocs.io/en/latest/
+    "csp.middleware.CSPMiddleware",
 ]

+# Referrer Policy
+SECURE_REFERRER_POLICY = 'no-referrer-when-downgrade'
+
+# X-XSS-Protection, enables cross-site scripting filter in most browsers
+SECURE_BROWSER_XSS_FILTER = True
+
+# CSP Settings
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'none'",)
+CSP_IMG_SRC = ("'self'",)
+CSP_BASE_URI = ("'none'",)
+CSP_FORM_ACTION = ("'self'",)
+CSP_FRAME_ANCESTORS = ("'none'",)
+
 # Base of the URL hierarchy
 ROOT_URLCONF = "urls"