p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD.

This commit is contained in:
Ed Morley 2016-07-26 13:05:27 +01:00 committed by Tim Graham
parent 3c2447dd13
commit 7399fee6c3
4 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
django/core/checks/security/base.py
View File

@ -101,6 +101,12 @@ W020 = Warning(
id='security.W020', id='security.W020',
) )
W021 = Warning(
"You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
"your site cannot be submitted to the browser preload list.",
id='security.W021',
)
def _security_middleware(): def _security_middleware():
return ("django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES or return ("django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES or
@ -140,6 +146,16 @@ def check_sts_include_subdomains(app_configs, **kwargs):
return [] if passed_check else [W005] return [] if passed_check else [W005]
@register(Tags.security, deploy=True)
def check_sts_preload(app_configs, **kwargs):
passed_check = (
not _security_middleware() or
not settings.SECURE_HSTS_SECONDS or
settings.SECURE_HSTS_PRELOAD is True
)
return [] if passed_check else [W021]
@register(Tags.security, deploy=True) @register(Tags.security, deploy=True)
def check_content_type_nosniff(app_configs, **kwargs): def check_content_type_nosniff(app_configs, **kwargs):
passed_check = ( passed_check = (

3
docs/ref/checks.txt
View File

@ -596,6 +596,9 @@ The following checks are run if you use the :option:`check --deploy` option:
for your site to serve other parts of itself in a frame, you should change for your site to serve other parts of itself in a frame, you should change
it to ``'DENY'``. it to ``'DENY'``.
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment. * **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
* **security.W021**: You have not set the
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
cannot be submitted to the browser preload list.
Sites Sites
----- -----

1
docs/spelling_wordlist
View File

@ -594,6 +594,7 @@ prefetches
prefetching prefetching
prefork prefork
preforked preforked
preload
prepend prepend
prepended prepended
prepending prepending

44
tests/check_framework/test_security.py
View File

@ -307,6 +307,50 @@ class CheckStrictTransportSecuritySubdomainsTest(SimpleTestCase):
self.assertEqual(self.func(None), []) self.assertEqual(self.func(None), [])
class CheckStrictTransportSecurityPreloadTest(SimpleTestCase):
@property
def func(self):
from django.core.checks.security.base import check_sts_preload
return check_sts_preload
@override_settings(
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
SECURE_HSTS_PRELOAD=False,
SECURE_HSTS_SECONDS=3600,
)
def test_no_sts_preload(self):
"""
Warn if SECURE_HSTS_PRELOAD isn't True.
"""
self.assertEqual(self.func(None), [base.W021])
@override_settings(MIDDLEWARE=[], SECURE_HSTS_PRELOAD=False, SECURE_HSTS_SECONDS=3600)
def test_no_sts_preload_no_middleware(self):
"""
Don't warn if SecurityMiddleware isn't installed.
"""
self.assertEqual(self.func(None), [])
@override_settings(
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
SECURE_SSL_REDIRECT=False,
SECURE_HSTS_SECONDS=None,
)
def test_no_sts_preload_no_seconds(self):
"""
Don't warn if SECURE_HSTS_SECONDS isn't set.
"""
self.assertEqual(self.func(None), [])
@override_settings(
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
SECURE_HSTS_PRELOAD=True,
SECURE_HSTS_SECONDS=3600,
)
def test_with_sts_preload(self):
self.assertEqual(self.func(None), [])
class CheckXFrameOptionsMiddlewareTest(SimpleTestCase): class CheckXFrameOptionsMiddlewareTest(SimpleTestCase):
@property @property
def func(self): def func(self):