django1/django/core/checks/security/base.py

from django.conf import settings
from django.core.exceptions import ImproperlyConfigured

from .. import Error, Tags, Warning, register

CROSS_ORIGIN_OPENER_POLICY_VALUES = {
    "same-origin",
    "same-origin-allow-popups",
    "unsafe-none",
}
REFERRER_POLICY_VALUES = {
    "no-referrer",
    "no-referrer-when-downgrade",
    "origin",
    "origin-when-cross-origin",
    "same-origin",
    "strict-origin",
    "strict-origin-when-cross-origin",
    "unsafe-url",
}

SECRET_KEY_INSECURE_PREFIX = "django-insecure-"
SECRET_KEY_MIN_LENGTH = 50
SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5

SECRET_KEY_WARNING_MSG = (
    f"Your %s has less than {SECRET_KEY_MIN_LENGTH} characters, less than "
    f"{SECRET_KEY_MIN_UNIQUE_CHARACTERS} unique characters, or it's prefixed "
    f"with '{SECRET_KEY_INSECURE_PREFIX}' indicating that it was generated "
    f"automatically by Django. Please generate a long and random value, "
    f"otherwise many of Django's security-critical features will be "
    f"vulnerable to attack."
)

W001 = Warning(
    "You do not have 'django.middleware.security.SecurityMiddleware' "
    "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
    "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
    "have no effect.",
    id="security.W001",
)

W002 = Warning(
    "You do not have "
    "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
    "MIDDLEWARE, so your pages will not be served with an "
    "'x-frame-options' header. Unless there is a good reason for your "
    "site to be served in a frame, you should consider enabling this "
    "header to help prevent clickjacking attacks.",
    id="security.W002",
)

W004 = Warning(
    "You have not set a value for the SECURE_HSTS_SECONDS setting. "
    "If your entire site is served only over SSL, you may want to consider "
    "setting a value and enabling HTTP Strict Transport Security. "
    "Be sure to read the documentation first; enabling HSTS carelessly "
    "can cause serious, irreversible problems.",
    id="security.W004",
)

W005 = Warning(
    "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "
    "Without this, your site is potentially vulnerable to attack "
    "via an insecure connection to a subdomain. Only set this to True if "
    "you are certain that all subdomains of your domain should be served "
    "exclusively via SSL.",
    id="security.W005",
)

W006 = Warning(
    "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
    "so your pages will not be served with an "
    "'X-Content-Type-Options: nosniff' header. "
    "You should consider enabling this header to prevent the "
    "browser from identifying content types incorrectly.",
    id="security.W006",
)

W008 = Warning(
    "Your SECURE_SSL_REDIRECT setting is not set to True. "
    "Unless your site should be available over both SSL and non-SSL "
    "connections, you may want to either set this setting True "
    "or configure a load balancer or reverse-proxy server "
    "to redirect all connections to HTTPS.",
    id="security.W008",
)

W009 = Warning(
    SECRET_KEY_WARNING_MSG % "SECRET_KEY",
    id="security.W009",
)

W018 = Warning(
    "You should not have DEBUG set to True in deployment.",
    id="security.W018",
)

W019 = Warning(
    "You have "
    "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
    "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
    "Unless there is a good reason for your site to serve other parts of "
    "itself in a frame, you should change it to 'DENY'.",
    id="security.W019",
)

W020 = Warning(
    "ALLOWED_HOSTS must not be empty in deployment.",
    id="security.W020",
)

W021 = Warning(
    "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
    "your site cannot be submitted to the browser preload list.",
    id="security.W021",
)

W022 = Warning(
    "You have not set the SECURE_REFERRER_POLICY setting. Without this, your "
    "site will not send a Referrer-Policy header. You should consider "
    "enabling this header to protect user privacy.",
    id="security.W022",
)

E023 = Error(
    "You have set the SECURE_REFERRER_POLICY setting to an invalid value.",
    hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))),
    id="security.E023",
)

E024 = Error(
    "You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid "
    "value.",
    hint="Valid values are: {}.".format(
        ", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),
    ),
    id="security.E024",
)

W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")


def _security_middleware():
    return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE


def _xframe_middleware():
    return (
        "django.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE
    )


@register(Tags.security, deploy=True)
def check_security_middleware(app_configs, **kwargs):
    passed_check = _security_middleware()
    return [] if passed_check else [W001]


@register(Tags.security, deploy=True)
def check_xframe_options_middleware(app_configs, **kwargs):
    passed_check = _xframe_middleware()
    return [] if passed_check else [W002]


@register(Tags.security, deploy=True)
def check_sts(app_configs, **kwargs):
    passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS
    return [] if passed_check else [W004]


@register(Tags.security, deploy=True)
def check_sts_include_subdomains(app_configs, **kwargs):
    passed_check = (
        not _security_middleware()
        or not settings.SECURE_HSTS_SECONDS
        or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True
    )
    return [] if passed_check else [W005]


@register(Tags.security, deploy=True)
def check_sts_preload(app_configs, **kwargs):
    passed_check = (
        not _security_middleware()
        or not settings.SECURE_HSTS_SECONDS
        or settings.SECURE_HSTS_PRELOAD is True
    )
    return [] if passed_check else [W021]


@register(Tags.security, deploy=True)
def check_content_type_nosniff(app_configs, **kwargs):
    passed_check = (
        not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True
    )
    return [] if passed_check else [W006]


@register(Tags.security, deploy=True)
def check_ssl_redirect(app_configs, **kwargs):
    passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
    return [] if passed_check else [W008]


def _check_secret_key(secret_key):
    return (
        len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS
        and len(secret_key) >= SECRET_KEY_MIN_LENGTH
        and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)
    )


@register(Tags.security, deploy=True)
def check_secret_key(app_configs, **kwargs):
    try:
        secret_key = settings.SECRET_KEY
    except (ImproperlyConfigured, AttributeError):
        passed_check = False
    else:
        passed_check = _check_secret_key(secret_key)
    return [] if passed_check else [W009]


@register(Tags.security, deploy=True)
def check_secret_key_fallbacks(app_configs, **kwargs):
    warnings = []
    try:
        fallbacks = settings.SECRET_KEY_FALLBACKS
    except (ImproperlyConfigured, AttributeError):
        warnings.append(Warning(W025.msg % "SECRET_KEY_FALLBACKS", id=W025.id))
    else:
        for index, key in enumerate(fallbacks):
            if not _check_secret_key(key):
                warnings.append(
                    Warning(W025.msg % f"SECRET_KEY_FALLBACKS[{index}]", id=W025.id)
                )
    return warnings


@register(Tags.security, deploy=True)
def check_debug(app_configs, **kwargs):
    passed_check = not settings.DEBUG
    return [] if passed_check else [W018]


@register(Tags.security, deploy=True)
def check_xframe_deny(app_configs, **kwargs):
    passed_check = not _xframe_middleware() or settings.X_FRAME_OPTIONS == "DENY"
    return [] if passed_check else [W019]


@register(Tags.security, deploy=True)
def check_allowed_hosts(app_configs, **kwargs):
    return [] if settings.ALLOWED_HOSTS else [W020]


@register(Tags.security, deploy=True)
def check_referrer_policy(app_configs, **kwargs):
    if _security_middleware():
        if settings.SECURE_REFERRER_POLICY is None:
            return [W022]
        # Support a comma-separated string or iterable of values to allow fallback.
        if isinstance(settings.SECURE_REFERRER_POLICY, str):
            values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")}
        else:
            values = set(settings.SECURE_REFERRER_POLICY)
        if not values <= REFERRER_POLICY_VALUES:
            return [E023]
    return []


@register(Tags.security, deploy=True)
def check_cross_origin_opener_policy(app_configs, **kwargs):
    if (
        _security_middleware()
        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None
        and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
        not in CROSS_ORIGIN_OPENER_POLICY_VALUES
    ):
        return [E024]
    return []
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`from django.conf import settings`
Fixed #29324 -- Made SECRET_KEY validation lazy (on first access). 2020-07-29 15:06:54 +08:00			`from django.core.exceptions import ImproperlyConfigured`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`from .. import Error, Tags, Warning, register`

Fixed #31840 -- Added support for Cross-Origin Opener Policy header. Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> 2020-08-27 00:09:19 +08:00			`CROSS_ORIGIN_OPENER_POLICY_VALUES = {`
			`"same-origin",`
			`"same-origin-allow-popups",`
			`"unsafe-none",`
			`}`
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`REFERRER_POLICY_VALUES = {`
			`"no-referrer",`
			`"no-referrer-when-downgrade",`
			`"origin",`
			`"origin-when-cross-origin",`
			`"same-origin",`
			`"strict-origin",`
			`"strict-origin-when-cross-origin",`
			`"unsafe-url",`
			`}`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about autogenerated default keys. Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews. 2020-07-14 01:40:38 +08:00			`SECRET_KEY_INSECURE_PREFIX = "django-insecure-"`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`SECRET_KEY_MIN_LENGTH = 50`
			`SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5`

Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`SECRET_KEY_WARNING_MSG = (`
			`f"Your %s has less than {SECRET_KEY_MIN_LENGTH} characters, less than "`
			`f"{SECRET_KEY_MIN_UNIQUE_CHARACTERS} unique characters, or it's prefixed "`
			`f"with '{SECRET_KEY_INSECURE_PREFIX}' indicating that it was generated "`
			`f"automatically by Django. Please generate a long and random value, "`
			`f"otherwise many of Django's security-critical features will be "`
			`f"vulnerable to attack."`
			`)`

Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`W001 = Warning(`
			`"You do not have 'django.middleware.security.SecurityMiddleware' "`
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`"in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "`
Fixed #32678 -- Removed SECURE_BROWSER_XSS_FILTER setting. 2021-04-23 20:59:35 +08:00			`"SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "`
			`"SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "`
			`"have no effect.",`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`id="security.W001",`
			`)`

			`W002 = Warning(`
			`"You do not have "`
			`"'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "`
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`"MIDDLEWARE, so your pages will not be served with an "`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`"'x-frame-options' header. Unless there is a good reason for your "`
			`"site to be served in a frame, you should consider enabling this "`
			`"header to help prevent clickjacking attacks.",`
			`id="security.W002",`
			`)`

			`W004 = Warning(`
			`"You have not set a value for the SECURE_HSTS_SECONDS setting. "`
			`"If your entire site is served only over SSL, you may want to consider "`
			`"setting a value and enabling HTTP Strict Transport Security. "`
			`"Be sure to read the documentation first; enabling HSTS carelessly "`
			`"can cause serious, irreversible problems.",`
			`id="security.W004",`
			`)`

			`W005 = Warning(`
			`"You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "`
			`"Without this, your site is potentially vulnerable to attack "`
			`"via an insecure connection to a subdomain. Only set this to True if "`
			`"you are certain that all subdomains of your domain should be served "`
			`"exclusively via SSL.",`
			`id="security.W005",`
			`)`

			`W006 = Warning(`
			`"Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "`
			`"so your pages will not be served with an "`
Capitalized SecurityMiddleware headers for consistency with other headers. (No behavior change since HTTP headers are case insensitive.) 2018-10-30 06:19:04 +08:00			`"'X-Content-Type-Options: nosniff' header. "`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`"You should consider enabling this header to prevent the "`
			`"browser from identifying content types incorrectly.",`
			`id="security.W006",`
			`)`

			`W008 = Warning(`
			`"Your SECURE_SSL_REDIRECT setting is not set to True. "`
			`"Unless your site should be available over both SSL and non-SSL "`
			`"connections, you may want to either set this setting True "`
			`"or configure a load balancer or reverse-proxy server "`
			`"to redirect all connections to HTTPS.",`
			`id="security.W008",`
			`)`

			`W009 = Warning(`
Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`SECRET_KEY_WARNING_MSG % "SECRET_KEY",`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`id="security.W009",`
			`)`

			`W018 = Warning(`
			`"You should not have DEBUG set to True in deployment.",`
			`id="security.W018",`
			`)`

			`W019 = Warning(`
			`"You have "`
			`"'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "`
Fixed #26601 -- Improved middleware per DEP 0005. Thanks Tim Graham for polishing the patch, updating the tests, and writing documentation. Thanks Carl Meyer for shepherding the DEP. 2015-11-07 23:12:37 +08:00			`"MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "`
Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY. 2019-09-07 15:52:10 +08:00			`"Unless there is a good reason for your site to serve other parts of "`
			`"itself in a frame, you should change it to 'DENY'.",`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`id="security.W019",`
			`)`

Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS. 2015-06-17 04:08:03 +08:00			`W020 = Warning(`
			`"ALLOWED_HOSTS must not be empty in deployment.",`
			`id="security.W020",`
			`)`

Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD. 2016-07-26 20:05:27 +08:00			`W021 = Warning(`
			`"You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "`
			`"your site cannot be submitted to the browser preload list.",`
			`id="security.W021",`
			`)`

Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00			`W022 = Warning(`
			`"You have not set the SECURE_REFERRER_POLICY setting. Without this, your "`
			`"site will not send a Referrer-Policy header. You should consider "`
			`"enabling this header to protect user privacy.",`
			`id="security.W022",`
			`)`

			`E023 = Error(`
			`"You have set the SECURE_REFERRER_POLICY setting to an invalid value.",`
			`hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))),`
			`id="security.E023",`
			`)`

Fixed #31840 -- Added support for Cross-Origin Opener Policy header. Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> 2020-08-27 00:09:19 +08:00			`E024 = Error(`
			`"You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid "`
			`"value.",`
			`hint="Valid values are: {}.".format(`
			`", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),`
			`),`
			`id="security.E024",`
			`)`

Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")`

Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00
			`def _security_middleware():`
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES. 2017-01-01 02:24:00 +08:00			`return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00

			`def _xframe_middleware():`
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES. 2017-01-01 02:24:00 +08:00			`return (`
			`"django.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE`
Refs #33476 -- Reformatted code with Black. 2022-02-04 03:24:19 +08:00			`)`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_security_middleware(app_configs, **kwargs):`
			`passed_check = _security_middleware()`
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES. 2017-01-01 02:24:00 +08:00			`return [] if passed_check else [W001]`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_xframe_options_middleware(app_configs, **kwargs):`
			`passed_check = _xframe_middleware()`
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES. 2017-01-01 02:24:00 +08:00			`return [] if passed_check else [W002]`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_sts(app_configs, **kwargs):`
			`passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS`
			`return [] if passed_check else [W004]`


			`@register(Tags.security, deploy=True)`
			`def check_sts_include_subdomains(app_configs, **kwargs):`
			`passed_check = (`
			`not _security_middleware()`
			`or not settings.SECURE_HSTS_SECONDS`
			`or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True`
			`)`
			`return [] if passed_check else [W005]`


Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD. 2016-07-26 20:05:27 +08:00			`@register(Tags.security, deploy=True)`
			`def check_sts_preload(app_configs, **kwargs):`
			`passed_check = (`
			`not _security_middleware()`
			`or not settings.SECURE_HSTS_SECONDS`
			`or settings.SECURE_HSTS_PRELOAD is True`
			`)`
			`return [] if passed_check else [W021]`


Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`@register(Tags.security, deploy=True)`
			`def check_content_type_nosniff(app_configs, **kwargs):`
			`passed_check = (`
			`not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True`
			`)`
			`return [] if passed_check else [W006]`


			`@register(Tags.security, deploy=True)`
			`def check_ssl_redirect(app_configs, **kwargs):`
			`passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True`
			`return [] if passed_check else [W008]`


Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`def _check_secret_key(secret_key):`
			`return (`
			`len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS`
			`and len(secret_key) >= SECRET_KEY_MIN_LENGTH`
			`and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)`
			`)`


Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`@register(Tags.security, deploy=True)`
			`def check_secret_key(app_configs, **kwargs):`
Fixed #29324 -- Made SECRET_KEY validation lazy (on first access). 2020-07-29 15:06:54 +08:00			`try:`
			`secret_key = settings.SECRET_KEY`
			`except (ImproperlyConfigured, AttributeError):`
			`passed_check = False`
			`else:`
Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`passed_check = _check_secret_key(secret_key)`
Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`return [] if passed_check else [W009]`


Fixed #30360 -- Added support for secret key rotation. Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 2021-12-14 11:47:03 +08:00			`@register(Tags.security, deploy=True)`
			`def check_secret_key_fallbacks(app_configs, **kwargs):`
			`warnings = []`
			`try:`
			`fallbacks = settings.SECRET_KEY_FALLBACKS`
			`except (ImproperlyConfigured, AttributeError):`
			`warnings.append(Warning(W025.msg % "SECRET_KEY_FALLBACKS", id=W025.id))`
			`else:`
			`for index, key in enumerate(fallbacks):`
			`if not _check_secret_key(key):`
			`warnings.append(`
			`Warning(W025.msg % f"SECRET_KEY_FALLBACKS[{index}]", id=W025.id)`
			`)`
			`return warnings`


Fixed #17101 -- Integrated django-secure and added check --deploy option Thanks Carl Meyer for django-secure and for reviewing. Thanks also to Zach Borboa, Erik Romijn, Collin Anderson, and Jorge Carleitao for reviews. 2014-09-13 02:50:36 +08:00			`@register(Tags.security, deploy=True)`
			`def check_debug(app_configs, **kwargs):`
			`passed_check = not settings.DEBUG`
			`return [] if passed_check else [W018]`


			`@register(Tags.security, deploy=True)`
			`def check_xframe_deny(app_configs, **kwargs):`
			`passed_check = not _xframe_middleware() or settings.X_FRAME_OPTIONS == "DENY"`
Refs #26601 -- Removed support for old-style middleware using settings.MIDDLEWARE_CLASSES. 2017-01-01 02:24:00 +08:00			`return [] if passed_check else [W019]`
Fixed #24966 -- Added deployment system check for empty ALLOWED_HOSTS. 2015-06-17 04:08:03 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_allowed_hosts(app_configs, **kwargs):`
			`return [] if settings.ALLOWED_HOSTS else [W020]`
Fixed #29406 -- Added support for Referrer-Policy header. Thanks to James Bennett for the initial implementation. 2019-03-22 05:33:41 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_referrer_policy(app_configs, **kwargs):`
			`if _security_middleware():`
			`if settings.SECURE_REFERRER_POLICY is None:`
			`return [W022]`
			`# Support a comma-separated string or iterable of values to allow fallback.`
			`if isinstance(settings.SECURE_REFERRER_POLICY, str):`
			`values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")}`
			`else:`
			`values = set(settings.SECURE_REFERRER_POLICY)`
			`if not values <= REFERRER_POLICY_VALUES:`
			`return [E023]`
			`return []`
Fixed #31840 -- Added support for Cross-Origin Opener Policy header. Thanks Adam Johnson and Tim Graham for the reviews. Co-authored-by: Tim Graham <timograham@gmail.com> 2020-08-27 00:09:19 +08:00

			`@register(Tags.security, deploy=True)`
			`def check_cross_origin_opener_policy(app_configs, **kwargs):`
			`if (`
			`_security_middleware()`
			`and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None`
			`and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY`
			`not in CROSS_ORIGIN_OPENER_POLICY_VALUES`
			`):`
			`return [E024]`
			`return []`