Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/core/checks/security/sessions.py: 33%
38 statements
« prev ^ index » next coverage.py v6.4.4, created at 2023-07-17 14:22 -0600
« prev ^ index » next coverage.py v6.4.4, created at 2023-07-17 14:22 -0600
1from django.conf import settings
3from .. import Tags, Warning, register
6def add_session_cookie_message(message):
7 return message + (
8 " Using a secure-only session cookie makes it more difficult for "
9 "network traffic sniffers to hijack user sessions."
10 )
13W010 = Warning(
14 add_session_cookie_message(
15 "You have 'django.contrib.sessions' in your INSTALLED_APPS, "
16 "but you have not set SESSION_COOKIE_SECURE to True."
17 ),
18 id="security.W010",
19)
21W011 = Warning(
22 add_session_cookie_message(
23 "You have 'django.contrib.sessions.middleware.SessionMiddleware' "
24 "in your MIDDLEWARE, but you have not set "
25 "SESSION_COOKIE_SECURE to True."
26 ),
27 id="security.W011",
28)
30W012 = Warning(
31 add_session_cookie_message("SESSION_COOKIE_SECURE is not set to True."),
32 id="security.W012",
33)
36def add_httponly_message(message):
37 return message + (
38 " Using an HttpOnly session cookie makes it more difficult for "
39 "cross-site scripting attacks to hijack user sessions."
40 )
43W013 = Warning(
44 add_httponly_message(
45 "You have 'django.contrib.sessions' in your INSTALLED_APPS, "
46 "but you have not set SESSION_COOKIE_HTTPONLY to True.",
47 ),
48 id="security.W013",
49)
51W014 = Warning(
52 add_httponly_message(
53 "You have 'django.contrib.sessions.middleware.SessionMiddleware' "
54 "in your MIDDLEWARE, but you have not set "
55 "SESSION_COOKIE_HTTPONLY to True."
56 ),
57 id="security.W014",
58)
60W015 = Warning(
61 add_httponly_message("SESSION_COOKIE_HTTPONLY is not set to True."),
62 id="security.W015",
63)
66@register(Tags.security, deploy=True)
67def check_session_cookie_secure(app_configs, **kwargs):
68 errors = []
69 if not settings.SESSION_COOKIE_SECURE:
70 if _session_app():
71 errors.append(W010)
72 if _session_middleware():
73 errors.append(W011)
74 if len(errors) > 1:
75 errors = [W012]
76 return errors
79@register(Tags.security, deploy=True)
80def check_session_cookie_httponly(app_configs, **kwargs):
81 errors = []
82 if not settings.SESSION_COOKIE_HTTPONLY:
83 if _session_app():
84 errors.append(W013)
85 if _session_middleware():
86 errors.append(W014)
87 if len(errors) > 1:
88 errors = [W015]
89 return errors
92def _session_middleware():
93 return "django.contrib.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE
96def _session_app():
97 return "django.contrib.sessions" in settings.INSTALLED_APPS