django1/django/middleware/security.py

import re

from django.conf import settings
from django.http import HttpResponsePermanentRedirect
from django.utils.deprecation import MiddlewareMixin


class SecurityMiddleware(MiddlewareMixin):
    def __init__(self, get_response):
        super().__init__(get_response)
        self.sts_seconds = settings.SECURE_HSTS_SECONDS
        self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS
        self.sts_preload = settings.SECURE_HSTS_PRELOAD
        self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF
        self.redirect = settings.SECURE_SSL_REDIRECT
        self.redirect_host = settings.SECURE_SSL_HOST
        self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
        self.referrer_policy = settings.SECURE_REFERRER_POLICY
        self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY

    def process_request(self, request):
        path = request.path.lstrip("/")
        if (
            self.redirect
            and not request.is_secure()
            and not any(pattern.search(path) for pattern in self.redirect_exempt)
        ):
            host = self.redirect_host or request.get_host()
            return HttpResponsePermanentRedirect(
                "https://%s%s" % (host, request.get_full_path())
            )

    def process_response(self, request, response):
        if (
            self.sts_seconds
            and request.is_secure()
            and "Strict-Transport-Security" not in response
        ):
            sts_header = "max-age=%s" % self.sts_seconds
            if self.sts_include_subdomains:
                sts_header = sts_header + "; includeSubDomains"
            if self.sts_preload:
                sts_header = sts_header + "; preload"
            response.headers["Strict-Transport-Security"] = sts_header

        if self.content_type_nosniff:
            response.headers.setdefault("X-Content-Type-Options", "nosniff")

        if self.referrer_policy:
            # Support a comma-separated string or iterable of values to allow
            # fallback.
            response.headers.setdefault(
                "Referrer-Policy",
                ",".join(
                    [v.strip() for v in self.referrer_policy.split(",")]
                    if isinstance(self.referrer_policy, str)
                    else self.referrer_policy
                ),
            )

        if self.cross_origin_opener_policy:
            response.setdefault(
                "Cross-Origin-Opener-Policy",
                self.cross_origin_opener_policy,
            )
        return response
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`import re`

			`from django.conf import settings`
			`from django.http import HttpResponsePermanentRedirect`
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`from django.utils.deprecation import MiddlewareMixin`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00

Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`class SecurityMiddleware(MiddlewareMixin):`
Refs #26601 -- Made get_response argument required and don't accept None in middleware classes. Per deprecation timeline. 2021-01-13 03:55:32 +08:00			`def __init__(self, get_response):`
Fixed #31928 -- Fixed detecting an async get_response in various middlewares. SecurityMiddleware and the three cache middlewares were not calling super().__init__() during their initialization or calling the required MiddlewareMixin._async_check() method. This made the middlewares not properly present as coroutine and confused the middleware chain when used in a fully async context. Thanks Kordian Kowalski for the report. 2020-08-25 04:25:33 +08:00			`super().__init__(get_response)`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`self.sts_seconds = settings.SECURE_HSTS_SECONDS`
			`self.sts_include_subdomains = settings.SECURE_HSTS_INCLUDE_SUBDOMAINS`
Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-07-29 00:48:07 +08:00			`self.sts_preload = settings.SECURE_HSTS_PRELOAD`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`self.content_type_nosniff = settings.SECURE_CONTENT_TYPE_NOSNIFF`
			`self.redirect = settings.SECURE_SSL_REDIRECT`
			`self.redirect_host = settings.SECURE_SSL_HOST`
			`self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]`
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`self.referrer_policy = settings.SECURE_REFERRER_POLICY`
Fixed #31840 -- Added support for Cross-Origin Opener Policy header. Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> 2020-08-27 00:09:19 +08:00			`self.cross_origin_opener_policy = settings.SECURE_CROSS_ORIGIN_OPENER_POLICY`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
			`def process_request(self, request):`
			`path = request.path.lstrip("/")`
			`if (`
			`self.redirect`
			`and not request.is_secure()`
			`and not any(pattern.search(path) for pattern in self.redirect_exempt)`
			`):`
			`host = self.redirect_host or request.get_host()`
			`return HttpResponsePermanentRedirect(`
			`"https://%s%s" % (host, request.get_full_path())`
			`)`

			`def process_response(self, request, response):`
			`if (`
			`self.sts_seconds`
			`and request.is_secure()`
Capitalized SecurityMiddleware headers for consistency with other headers. (No behavior change since HTTP headers are case insensitive.) 2018-10-30 06:19:04 +08:00			`and "Strict-Transport-Security" not in response`
			`):`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`sts_header = "max-age=%s" % self.sts_seconds`
			`if self.sts_include_subdomains:`
			`sts_header = sts_header + "; includeSubDomains"`
Fixed #26947 -- Added an option to enable the HSTS header preload directive. 2016-07-29 00:48:07 +08:00			`if self.sts_preload:`
			`sts_header = sts_header + "; preload"`
Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-07-14 19:32:24 +08:00			`response.headers["Strict-Transport-Security"] = sts_header`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
Fixed #28795 -- Removed 'not in' checks and used dict.setdefault(). 2017-11-14 05:15:49 +08:00			`if self.content_type_nosniff:`
Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-07-14 19:32:24 +08:00			`response.headers.setdefault("X-Content-Type-Options", "nosniff")`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`if self.referrer_policy:`
			`# Support a comma-separated string or iterable of values to allow`
			`# fallback.`
Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-07-14 19:32:24 +08:00			`response.headers.setdefault(`
			`"Referrer-Policy",`
			`",".join(`
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`[v.strip() for v in self.referrer_policy.split(",")]`
			`if isinstance(self.referrer_policy, str)`
			`else self.referrer_policy`
Refs #33476 -- Reformatted code with Black. 2022-02-04 03:24:19 +08:00			`),`
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`)`

Fixed #31840 -- Added support for Cross-Origin Opener Policy header. Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> 2020-08-27 00:09:19 +08:00			`if self.cross_origin_opener_policy:`
			`response.setdefault(`
			`"Cross-Origin-Opener-Policy",`
			`self.cross_origin_opener_policy,`
			`)`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`return response`