mirror of
https://github.com/django/django.git
synced 2025-10-24 14:16:09 +00:00
Refs #26947 -- Added a deployment system check for SECURE_HSTS_PRELOAD.
This commit is contained in:
@@ -101,6 +101,12 @@ W020 = Warning(
|
|||||||
id='security.W020',
|
id='security.W020',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
W021 = Warning(
|
||||||
|
"You have not set the SECURE_HSTS_PRELOAD setting to True. Without this, "
|
||||||
|
"your site cannot be submitted to the browser preload list.",
|
||||||
|
id='security.W021',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _security_middleware():
|
def _security_middleware():
|
||||||
return ("django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES or
|
return ("django.middleware.security.SecurityMiddleware" in settings.MIDDLEWARE_CLASSES or
|
||||||
@@ -140,6 +146,16 @@ def check_sts_include_subdomains(app_configs, **kwargs):
|
|||||||
return [] if passed_check else [W005]
|
return [] if passed_check else [W005]
|
||||||
|
|
||||||
|
|
||||||
|
@register(Tags.security, deploy=True)
|
||||||
|
def check_sts_preload(app_configs, **kwargs):
|
||||||
|
passed_check = (
|
||||||
|
not _security_middleware() or
|
||||||
|
not settings.SECURE_HSTS_SECONDS or
|
||||||
|
settings.SECURE_HSTS_PRELOAD is True
|
||||||
|
)
|
||||||
|
return [] if passed_check else [W021]
|
||||||
|
|
||||||
|
|
||||||
@register(Tags.security, deploy=True)
|
@register(Tags.security, deploy=True)
|
||||||
def check_content_type_nosniff(app_configs, **kwargs):
|
def check_content_type_nosniff(app_configs, **kwargs):
|
||||||
passed_check = (
|
passed_check = (
|
||||||
|
@@ -596,6 +596,9 @@ The following checks are run if you use the :option:`check --deploy` option:
|
|||||||
for your site to serve other parts of itself in a frame, you should change
|
for your site to serve other parts of itself in a frame, you should change
|
||||||
it to ``'DENY'``.
|
it to ``'DENY'``.
|
||||||
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
||||||
|
* **security.W021**: You have not set the
|
||||||
|
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
|
||||||
|
cannot be submitted to the browser preload list.
|
||||||
|
|
||||||
Sites
|
Sites
|
||||||
-----
|
-----
|
||||||
|
@@ -594,6 +594,7 @@ prefetches
|
|||||||
prefetching
|
prefetching
|
||||||
prefork
|
prefork
|
||||||
preforked
|
preforked
|
||||||
|
preload
|
||||||
prepend
|
prepend
|
||||||
prepended
|
prepended
|
||||||
prepending
|
prepending
|
||||||
|
@@ -307,6 +307,50 @@ class CheckStrictTransportSecuritySubdomainsTest(SimpleTestCase):
|
|||||||
self.assertEqual(self.func(None), [])
|
self.assertEqual(self.func(None), [])
|
||||||
|
|
||||||
|
|
||||||
|
class CheckStrictTransportSecurityPreloadTest(SimpleTestCase):
|
||||||
|
@property
|
||||||
|
def func(self):
|
||||||
|
from django.core.checks.security.base import check_sts_preload
|
||||||
|
return check_sts_preload
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
|
||||||
|
SECURE_HSTS_PRELOAD=False,
|
||||||
|
SECURE_HSTS_SECONDS=3600,
|
||||||
|
)
|
||||||
|
def test_no_sts_preload(self):
|
||||||
|
"""
|
||||||
|
Warn if SECURE_HSTS_PRELOAD isn't True.
|
||||||
|
"""
|
||||||
|
self.assertEqual(self.func(None), [base.W021])
|
||||||
|
|
||||||
|
@override_settings(MIDDLEWARE=[], SECURE_HSTS_PRELOAD=False, SECURE_HSTS_SECONDS=3600)
|
||||||
|
def test_no_sts_preload_no_middleware(self):
|
||||||
|
"""
|
||||||
|
Don't warn if SecurityMiddleware isn't installed.
|
||||||
|
"""
|
||||||
|
self.assertEqual(self.func(None), [])
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
|
||||||
|
SECURE_SSL_REDIRECT=False,
|
||||||
|
SECURE_HSTS_SECONDS=None,
|
||||||
|
)
|
||||||
|
def test_no_sts_preload_no_seconds(self):
|
||||||
|
"""
|
||||||
|
Don't warn if SECURE_HSTS_SECONDS isn't set.
|
||||||
|
"""
|
||||||
|
self.assertEqual(self.func(None), [])
|
||||||
|
|
||||||
|
@override_settings(
|
||||||
|
MIDDLEWARE=["django.middleware.security.SecurityMiddleware"],
|
||||||
|
SECURE_HSTS_PRELOAD=True,
|
||||||
|
SECURE_HSTS_SECONDS=3600,
|
||||||
|
)
|
||||||
|
def test_with_sts_preload(self):
|
||||||
|
self.assertEqual(self.func(None), [])
|
||||||
|
|
||||||
|
|
||||||
class CheckXFrameOptionsMiddlewareTest(SimpleTestCase):
|
class CheckXFrameOptionsMiddlewareTest(SimpleTestCase):
|
||||||
@property
|
@property
|
||||||
def func(self):
|
def func(self):
|
||||||
|
Reference in New Issue
Block a user