Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/core/checks/security/base.py: 50%
89 statements
« prev ^ index » next coverage.py v6.4.4, created at 2023-07-17 14:22 -0600
« prev ^ index » next coverage.py v6.4.4, created at 2023-07-17 14:22 -0600
1from django.conf import settings
2from django.core.exceptions import ImproperlyConfigured
4from .. import Error, Tags, Warning, register
6CROSS_ORIGIN_OPENER_POLICY_VALUES = {
7 "same-origin",
8 "same-origin-allow-popups",
9 "unsafe-none",
10}
11REFERRER_POLICY_VALUES = {
12 "no-referrer",
13 "no-referrer-when-downgrade",
14 "origin",
15 "origin-when-cross-origin",
16 "same-origin",
17 "strict-origin",
18 "strict-origin-when-cross-origin",
19 "unsafe-url",
20}
22SECRET_KEY_INSECURE_PREFIX = "django-insecure-"
23SECRET_KEY_MIN_LENGTH = 50
24SECRET_KEY_MIN_UNIQUE_CHARACTERS = 5
26W001 = Warning(
27 "You do not have 'django.middleware.security.SecurityMiddleware' "
28 "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
29 "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
30 "SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settings will "
31 "have no effect.",
32 id="security.W001",
33)
35W002 = Warning(
36 "You do not have "
37 "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
38 "MIDDLEWARE, so your pages will not be served with an "
39 "'x-frame-options' header. Unless there is a good reason for your "
40 "site to be served in a frame, you should consider enabling this "
41 "header to help prevent clickjacking attacks.",
42 id="security.W002",
43)
45W004 = Warning(
46 "You have not set a value for the SECURE_HSTS_SECONDS setting. "
47 "If your entire site is served only over SSL, you may want to consider "
48 "setting a value and enabling HTTP Strict Transport Security. "
49 "Be sure to read the documentation first; enabling HSTS carelessly "
50 "can cause serious, irreversible problems.",
51 id="security.W004",
52)
54W005 = Warning(
55 "You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. "
56 "Without this, your site is potentially vulnerable to attack "
57 "via an insecure connection to a subdomain. Only set this to True if "
58 "you are certain that all subdomains of your domain should be served "
59 "exclusively via SSL.",
60 id="security.W005",
61)
63W006 = Warning(
64 "Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, "
65 "so your pages will not be served with an "
66 "'X-Content-Type-Options: nosniff' header. "
67 "You should consider enabling this header to prevent the "
68 "browser from identifying content types incorrectly.",
69 id="security.W006",
70)
72W008 = Warning(
73 "Your SECURE_SSL_REDIRECT setting is not set to True. "
74 "Unless your site should be available over both SSL and non-SSL "
75 "connections, you may want to either set this setting True "
76 "or configure a load balancer or reverse-proxy server "
77 "to redirect all connections to HTTPS.",
78 id="security.W008",
79)
81W009 = Warning(
82 "Your SECRET_KEY has less than %(min_length)s characters, less than "
83 "%(min_unique_chars)s unique characters, or it's prefixed with "
84 "'%(insecure_prefix)s' indicating that it was generated automatically by "
85 "Django. Please generate a long and random SECRET_KEY, otherwise many of "
86 "Django's security-critical features will be vulnerable to attack."
87 % {
88 "min_length": SECRET_KEY_MIN_LENGTH,
89 "min_unique_chars": SECRET_KEY_MIN_UNIQUE_CHARACTERS,
90 "insecure_prefix": SECRET_KEY_INSECURE_PREFIX,
91 },
92 id="security.W009",
93)
95W018 = Warning(
96 "You should not have DEBUG set to True in deployment.",
97 id="security.W018",
98)
100W019 = Warning(
101 "You have "
102 "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
103 "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
104 "Unless there is a good reason for your site to serve other parts of "
105 "itself in a frame, you should change it to 'DENY'.",
106 id="security.W019",
107)
109W020 = Warning(
110 "ALLOWED_HOSTS must not be empty in deployment.",
111 id="security.W020",
112)
114W021 = Warning(
115 "You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
116 "your site cannot be submitted to the browser preload list.",
117 id="security.W021",
118)
120W022 = Warning(
121 "You have not set the SECURE_REFERRER_POLICY setting. Without this, your "
122 "site will not send a Referrer-Policy header. You should consider "
123 "enabling this header to protect user privacy.",
124 id="security.W022",
125)
127E023 = Error(
128 "You have set the SECURE_REFERRER_POLICY setting to an invalid value.",
129 hint="Valid values are: {}.".format(", ".join(sorted(REFERRER_POLICY_VALUES))),
130 id="security.E023",
131)
133E024 = Error(
134 "You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid "
135 "value.",
136 hint="Valid values are: {}.".format(
137 ", ".join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES)),
138 ),
139 id="security.E024",
140)
143def _security_middleware():
144 return "django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE
147def _xframe_middleware():
148 return (
149 "django.middleware.clickjacking.XFrameOptionsMiddleware" in settings.MIDDLEWARE
150 )
153@register(Tags.security, deploy=True)
154def check_security_middleware(app_configs, **kwargs):
155 passed_check = _security_middleware()
156 return [] if passed_check else [W001]
159@register(Tags.security, deploy=True)
160def check_xframe_options_middleware(app_configs, **kwargs):
161 passed_check = _xframe_middleware()
162 return [] if passed_check else [W002]
165@register(Tags.security, deploy=True)
166def check_sts(app_configs, **kwargs):
167 passed_check = not _security_middleware() or settings.SECURE_HSTS_SECONDS
168 return [] if passed_check else [W004]
171@register(Tags.security, deploy=True)
172def check_sts_include_subdomains(app_configs, **kwargs):
173 passed_check = (
174 not _security_middleware()
175 or not settings.SECURE_HSTS_SECONDS
176 or settings.SECURE_HSTS_INCLUDE_SUBDOMAINS is True
177 )
178 return [] if passed_check else [W005]
181@register(Tags.security, deploy=True)
182def check_sts_preload(app_configs, **kwargs):
183 passed_check = (
184 not _security_middleware()
185 or not settings.SECURE_HSTS_SECONDS
186 or settings.SECURE_HSTS_PRELOAD is True
187 )
188 return [] if passed_check else [W021]
191@register(Tags.security, deploy=True)
192def check_content_type_nosniff(app_configs, **kwargs):
193 passed_check = (
194 not _security_middleware() or settings.SECURE_CONTENT_TYPE_NOSNIFF is True
195 )
196 return [] if passed_check else [W006]
199@register(Tags.security, deploy=True)
200def check_ssl_redirect(app_configs, **kwargs):
201 passed_check = not _security_middleware() or settings.SECURE_SSL_REDIRECT is True
202 return [] if passed_check else [W008]
205@register(Tags.security, deploy=True)
206def check_secret_key(app_configs, **kwargs):
207 try:
208 secret_key = settings.SECRET_KEY
209 except (ImproperlyConfigured, AttributeError):
210 passed_check = False
211 else:
212 passed_check = (
213 len(set(secret_key)) >= SECRET_KEY_MIN_UNIQUE_CHARACTERS
214 and len(secret_key) >= SECRET_KEY_MIN_LENGTH
215 and not secret_key.startswith(SECRET_KEY_INSECURE_PREFIX)
216 )
217 return [] if passed_check else [W009]
220@register(Tags.security, deploy=True)
221def check_debug(app_configs, **kwargs):
222 passed_check = not settings.DEBUG
223 return [] if passed_check else [W018]
226@register(Tags.security, deploy=True)
227def check_xframe_deny(app_configs, **kwargs):
228 passed_check = not _xframe_middleware() or settings.X_FRAME_OPTIONS == "DENY"
229 return [] if passed_check else [W019]
232@register(Tags.security, deploy=True)
233def check_allowed_hosts(app_configs, **kwargs):
234 return [] if settings.ALLOWED_HOSTS else [W020]
237@register(Tags.security, deploy=True)
238def check_referrer_policy(app_configs, **kwargs):
239 if _security_middleware():
240 if settings.SECURE_REFERRER_POLICY is None:
241 return [W022]
242 # Support a comma-separated string or iterable of values to allow fallback.
243 if isinstance(settings.SECURE_REFERRER_POLICY, str):
244 values = {v.strip() for v in settings.SECURE_REFERRER_POLICY.split(",")}
245 else:
246 values = set(settings.SECURE_REFERRER_POLICY)
247 if not values <= REFERRER_POLICY_VALUES:
248 return [E023]
249 return []
252@register(Tags.security, deploy=True)
253def check_cross_origin_opener_policy(app_configs, **kwargs):
254 if (
255 _security_middleware()
256 and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY is not None
257 and settings.SECURE_CROSS_ORIGIN_OPENER_POLICY
258 not in CROSS_ORIGIN_OPENER_POLICY_VALUES
259 ):
260 return [E024]
261 return []